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(54) TiUe: A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 



(57) Abstract 

A method of renting software that relies on the reversal of 
encryption processes by the integration of secure processing into 
the system microprocessor of a user controlled data processing 
system* It consists of protected software objects, that in 
addition to being functionally limited to requires reversal of said 
limitation whithin the system microprocessor, they also have 
closely integrated infonnation about conditions of use. This is 
used to distribute computer software on a large scale that may 
nm on any computer. The user is charged on a unit basis. The 
secure processes described for the system microprocessor will 
have applications in other secure processes. 
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1 TITLE OF D^JVENTION: 

2 A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

3 

4 TECHNICAL FIELD: 

5 Hie distribution of software and other infonnaticm reveisibly funcdanally limited* usuafly by encryption, requiring 

6 reversal by a secure device that may also be used to provide software on a pay-as-you-usc basis. 
7 

8 BACKGROUND TO THE INVOmON AND DESCIUPTION OF THE REIJira 

9 llieinvcnticmdesaibes a method and iqjpaniiusth^ 

10 used without the assistance of one or multiple secret proccssmg devices. Said secret processing devices provide a 

11 mechanism for reversing the protectico ^lied to said iiformation and said reversing may only be artxvatcd by 

1 2 certain predetermined secure prodesses. The process of activating said reversing usually ensures that the producer cf 

13 said information and or their agents receive oonea payment for usage. 
14 

15 High speed dispersal of information between most computers with xcess m a mnrimyrptpphr^^* together with 

16 fonhccHning means of storing in excess (tf ten gigabytes of information on a writable optical disk, is likely to lessen 

17 the commercial value of information released m clear code fmmat, One clear code copy m the wrong hands could 

18 resuk in its effective worldwide (dispersal in a sbon time. 
19 

20 One objective of the invention is to Trovide a means of m aintaining security ^Hed tn informflriftn rfnrrng ^fj^r 

21 it performs the functions required of iL 
22 

23 The known art describes a means of protecting con^mter software by requiring the presence of particular devices to 

24 operm properly. These devices are secure to varying extents. The problem with computer sttftware is dai the 

25 protection applied must be reversed prior to pravidmg the infonnadon to the system CPU for processing. Once 

26 reversed it is accessible to those experienced in the an. 

27 

28 Known art WO 90A3865 describes a process when^ a secure location remote to a potential user supplies an 

29 encrypted software objea to a user controlled data processing system and a secure method of decrypting said 

30 encrypted software object The software objea usually contains infonnation that is cootixmally varying. This 

31 provides security by default in that it is a waste of time analysing mfomtmion that is redundam shcHtly after its 

32 creaticBi. This known an does not provide efiFective security against objects ^hnt^ once downloaded and deciphered, 

33 may be used in perpetuity as is usually the case with osnputer programs. 
34 

35 Known an described m AU-A-14856/95 rdies on software metho:?s to process the deciphering algorithms used u> 

36 reverse functional limitaticHis placed on software objects. Said software methods are susc^ble to an experienced 

37 person generating usable mformadoa from protected software objects reliam on this method. 
38 
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1 Hie crnicni invendon may be used to significamly strengthen the secarity 

2 in WO 90A3865 and or AU-A-14856/95. Ii may also be used as a significantly more secure and flexible 

3 replacement for this kncywn art. 
4 

5 Other known an calculates (and this may be by the use of mfcH^ 

6 certain values in a secure environment. Said values are passed to an associated computer pH > g t H iii and compared 

7 with internally generated values. These methods are in effea verifying that said secure environment is present and 

8 has presumably been purchased with the computer program. Said secure environment is not provicfing an essential 

9 ftmcticn absent from said associated cnmpoter progratn, as it is pracdcal to circumveat this proiectian by 
10 <fisasscmbly of pans of the program to exarxmie the other side of the eqoadon. 

11 

12 The kxK>wn an describes a CTypio{yocessor (US patents 4465901, 4419079* 4278837, 4168396) that is cap^ (f 

13 deciphenng in^ructions and or data in realtime as it is loaded into the central processing unit. Said instructions and 



14 


or ( 


lata are usually stared in endphered fcnnat in external ooemory. This known an is ikh suitable for use in a user 


15 


controlled data processing system: 


16 


m 


thatmay variably have one or nmltiple programs loaded from a potentially large selection and or said programs 


17 




may use difiioent decryption parameters; and or 


18 


m 


^Mhat the address occuped by a particular program may be cfif&nmt on each orrayion it is loaded (said known 


19 




an is particularly directed at ensuring that an encrypted program will crash with minor variadoos to its location 


20 




in the address map); and or 


21 


* 


where one or multiple encrypied programs may need to co-exist with dear mde pmgrs«m« m a mrectsTntiy 


22 




varying environment; and or 


23 


• 


«tere it is iu>t usiiaUy practical to protect the exieriial iiiexnary from tan^ 


24 


• 


wben an interrapt to an encrypted pmgrani may dirert pror^Ung t^^ ^-^.^f^^ r^fthods that may thrtaiTO the 


25 




secrecy of cenain infomuuion and this may incltide that widiin CPU registers at the time of iiuerriqn; and or 


26 


• 


where an encrypted program needs to temporarily transfer processing to an unsecure location; and or 


27 


• 


where an encrypted program needs to proieci its stack from analysis; and or 


28 


• 


where an cccxypted program exists as nmMple modules that are loaded as required and where one or multiple 


29 




modules may use different decryption parameters that need m he dynftrnic^lly ch^ged as pograin exfiCUtiCT* 


30 




flows between them; and or 


31 


• 


^R^iere different programs in a multitasking envimnmn^t^ nwy have difffrmt dfcrypiion parameters need to 


32 
33 




be securely switched on a frequent basis. 



34 The known art describes the programming of software objects into a secure microcoiitroller. This is restricted to a 

35 limited mnnbcr of prrrirfmed fimctioDS> However, the known art does not describe the processing of software objects 

36 within a user controlled data processiitg system iii con ^ unoion with a secure environmen*, that is not pracdcal va 

37 analyse, vdiexein said secure eovironmeni (that may be a microprocessar) incJi tg^ ^ inaccessible infonnation and also 

38 provictes for extemai software objects* that may be selected and loaded as required ton a potentially large number, 

39 to be able to tranrfer pffrm'^y (and or pass any required data) to said ixsaccessible infonnarian within said secure 
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1 enviTonmenu wbeichi said secure environmeni mcliidcs campaxsx instnictiGns and or data (incUiding that passed) 

2 v^ch may be processed in secret within said secure environment to perfonn ixnpOTtam functions and or any other 

3 functions that are absent from said software object and that fffuvides for transfer of processing and or rfafn to 

4 said software objea as appropriate; and or provide data diat is absent fcvm an extenial software objea ^^^len 

5 s^Tiffopriateiy requested by said software object Said inaccessible infonnation: 

6 • may be preprogrammed into a storage device; and or 

7 • may be greater than the available storage device within said secure environment; or 

8 • may be d ynamical ly swapped in and out of said secnre ^ i v i i nn tnwn; and ry 

9 may be transferred to said secure environment and decrypted within said eovhronmem ami processed within said 

10 secure enviromnein; and this applies for any of the preceding cmibin^ 

11 • one or multi p l e system microprocessors^ and or 

12 • G3ie or muldple devices attached dirvxdyasid<»-ixidirectly^ 

13 • within devices hnked via iimvcnkaivi or Internet (or equivalem in par^ 
14 

15 The known art does not desc r ibe any method and apparatus that permits multiple protected s(^tware objects, 

16 including those protected: 

17 • by software encryptioD/decryptioa alone, and or 

18 • by seciffe decryption within a secret e n v i m»nngf|f ^ and or 

19 • by secure decryption and secure execution of the ensuing decrypted infonnation within a secret env ir o nm ent, 

20 that allows said multiple protected software objects to c oncui r ent ly and or otherwise execute in a nmldtasking and 

21 or multiuser and or moitiprocessor environment (^ntere said multiprocessors may be tte same and or different) . 
22 

23 One objective of the present invention is to provide a method and appatanis: 

24 • that overcomes part or all of the flfoff emmtifmftH dgficienc'ei? in the known an, and 

25 • that may be used to su{^)ort a multipiicity of new methods and apparatus for distributing conqmter software, 

26 and 

27 • that may be used to strengthen a mm:iber of weaknesses with the current an, 
28 

29 The known art describes a number of inethods for distributing s oftwa re whereby the user pays on *an as used basis'. 

30 These methods innhide those protected exclusively by software methods. These usually "yJwrf^ various software 

31 clocks that count down on a predetermined basis* and inactivate the p ro gram at the appropriate time. Payment is 

32 usually made for the use of a particular object on the terms predgtermtnffd. nignrtvsmtflgft nf yhic myt h od include' 

33 • inherent lack of security; 

34 • the un sec oT c nature of the protection processes make it unlikely that software venders win feei comfortable with 

35 the process; 

36 • should software vendors make a large sdectioQ of software available, users wo 

37 access to the fuQ penod predetemmed for each program, making it unappealing for users to access a large 

38 immberof (fiffeient pn^nuns as recpiired (apart firom any trial periods)^ 

39 • lade of flexibility; 
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1 • iisercaanotseif detenmxtetfaeamomiLQf dm 
2 

3 Ihe seairi^ of the process far xtndng software is improved with known art described in WO 90/13865, vtoein 

4 iheie is a secure device within the user camroUcd data processing system that monitora the time used by a software 

5 objea downloaded from a service provider. Details of time used is periodically traosfened b«:k lo the semce 

6 provider. This method lequxres the user to be on line to receive said software object and to xecetve ^ timing 

7 parameteis pertaining to said software object. Ibe method also requires the user to remain on line for nw^n^ wrf 

8 security of the process and to perio^caOy upload elapsed time to the service provider. Ibe user would normaily be 

9 billed OQ a pred^ennined basis for software usage. 
10 

11 Hie known art does not describe a m^hod and apparatus to provide a secure and secret environment for the secure 

12 recording of usage of more dian one pi o giam at a time in a ™ih ifflgVmg azul or TrmtrhyEfT and or multiprocessor 

13 eiivtrountent. 
14 

15 Hie known art does not describe a secure and secret environment that can be securely preprogranmoed with a 

16 predetennined amoum of usage, whereby said usage: 

17 • is prepaid and or 

18 • is a credit limit for use that will be billed at a later date; 

19 and 

20 said predetermined amonxu of usage remains available for an extended period cf time (preferably surviving loss cf 

21 syscempower)f<^usedsreqttired, widi said predetemunedainount of usage appropr 

22 multiple software objects over said extended rime, and or 

23 said predetermined amount of usage may be securely updated with additi^xial usage riglus as reqfuiied. 
24 

25 The known art does not describe a secure and secret environment that ch p : 

26 securely record usage of software objects; and or 

27 securely maintain a record of amounts owing to differem vendors atui or against differcm software objects, and or 

28 provide a repcn on any basis, including usage, and or 

29 temporarily or permanently disable itself in part or v/ho)c should said predetennined amomm of usage be UTilisrrt, 

30 andcff 

31 teoqxiranly or permanently disable itself should it fail to teceive secure coofinnadon that reports sent to a service 

32 provider have been received. 

33 

34 The known art does not describe a method and c^aparatus to pennit a large number of software objects to be cre at e d 

35 that xxu:lude infomution about their particttlar bUling req uir ements, wbexdby said software objects are subsequently 

36 distributed on a large scale permitting each potential user to use any of the software <±jects as ftequently as they 

37 require and coly ps^ far use tnmrred, said use reducing the amount ctf usage predetermined witiiin said secure and 

38 secret environment* There is no known me t hod and ap^wiatns that compensates fior variations between infoormaxuHi 

39 stored within previously released software objects and tliat which is current, particularty as it api^ies lo billing 

40 lnfiy T * v^ ^lOI^^ 
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1 

2 It is anntfw objective of the invennon to provide a mediod and apparatus to overoome. in part or wixole; the 

3 afoicmeotioned deficiencies with the Imown an, and said mediod and apparatus may also be used for a Tmm^w*r of 

4 other described a;^)licaticDS. An impoitant objective is the provision of a secure; virtually transparent (to the user) 

5 method of renting software for use on a user controlled data processing system (UO^PSX on a usage basis, that in 

6 <me coofigurarion is mdcpendent of any an anhmmt to any devices, ctmpied Tmnggiy (g^. teigcnrnmiftm ^tifyns to 

7 theUCDPS. 
8 

9 The method and apparatus described to advance the art of protecting and distributing computer software may also be 

10 adapted in pan or ^ole to the protection and distributioQ of other commercially valuable information. 
11 

12 DEFINITIONS: 
13 

14 Replicatitm or duplication may be one to many copies and may include Te{riicatiOQ of pan or whole in any 

1 5 combination and or number. 
16 

17 decrypt(ed) and dcdphcr(ed) may be used imerchangeably and refer to reversal of a previously qppiied enoypdon 

18 process. Unless relating to a specific decryiKion process that is a claim of the invention it may be in ifi ^ w r i p d as 

19 being any known method of deciyption. 
20 

21 Decode is generally used in the uaditional con^mter sense of decoding addresses etc, however, where the ocmcxt 

22 permits it should be interpreted as for decrypted.. 
23 

24 Clear text (or clear code) is information that is von encrypted and may be derived from encrypted infmnation arirf 

25 or may have been supplied in as clear code. 
26 

27 Internal to the System CPU (or System KCczoprocessor) in^tn^ffff that the hardware and or miarocode and or 

28 software is on the same imegrated circuit substrate; and or that they are on multipie subsuates interfacing where 

29 necessary using any known method and a|^MM5itny within the package of the system CPU; anrf or pan of the device 

30 is within the system CPU package and pan (or all) external to the System CPU package and i^ tn^H externally to 

31 the 55ygtem mT pnriragy Sl^g any trw^rh^ fly^^f apparP TO S, 

32 

33 A system CPU also referenced as system microfHrocessor, is one that a perscm experienced in te an would 

34 ccm sid er to be suitable as the primary (or one of nrmtfip t^ primary) processing imits in a User Controlled Data 

35 Bocesstng System (UGDPS). 
36 

37 Processing or process refers to the actual execatjon of oonqmter instructions and or the manrpulaiicni (in any way) 

38 ofdamassodmeA with the mfmp^yfr in^ffninions and Of fflflnipulfltion (in any wfty) fff any nthgr Hfflq, 

39 
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1 Software Object: A software object is that ^diich a person expenenced in the art would consider a software object 

2 Computer programs and or subroutines that constitute part of a compater progiain are considered software objects. 

3 Data pertaining to said mmpu tcr programs is a software object. Infonnation that is processed by a UCDPS and 

4 su b se q u ent ly displayed as text and or images and or somd for any reason, mpfarftng as normal output from, a 

5 c omp u t er program sod or electronic books (and similar) and or music and or other sound «n| or visual imagery and 

6 or video in the form of motion pictures is a software object. 
7 

8 PCPU: Within this spplicadon reference to a PCPU or Protected CPU refers to Secret Processing Device (SPD) 

9 embftrtded within die system microprocessor package of a UCDPS. 
10 

11 ESFD: Reference to an External Secret Processing Device or ESSFD refers to an SFD mr arh r fl (firectly or mdirecdy 

12 to any other part of the UCDPS. 
13 

14 End of Definitions. 
15 

16 DESCRIPTION OF THE DRAWINGS: 

17 ^sore 1 is a diagram of an apparatus suitable for use as a secret processing device embedded within the system 

19 Figure 2 is a diagram of basic embodiment of an SFD for use extemai to die system micr op rocessor. 

20 Figtire 3 is adiagram of the address map for secure functions widiin the system microprocessor. 

21 Figure 4 is a diagram of command port structme. 
22 

23 DESCRIFnON OF THE INVENTION: 
24 

25 A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

26 The invention describes a method and apparatus far the protection of software against piracy and provides a secure 

27 process for the mass distribution of software. This is done by functionally limiting a software objea and securely 

28 linking it with conditions of tise aiKl objea support information to create a Protected Software Object (at PSO) 

29 inddch must be used with a Secret I^ocessing Device (gt SFD) that is direcdy or nsdirectly attached to a User 

30 Contrc^led Data Processing System (or UCDPS) . This provides a flexible and novel medsod of using and paying fa 

31 software. The prefened location of the secra processing device is within the package of the system inicroprocessor 

32 of the User Coamolled Pata Prncftsamg SyiAm whm thft rfimhflpmM>n is rrfrrrnl to as a Prmerted CPU (or PTPTJ) 

33 Thef(dlowing describes diose aspects considered' eatemial to afnll inq^lcmentatioQ of the inventioBL 

34 1) a metlx)d of cfistributing software objects &om a producer to a potential 

35 i) providing a se cr a processing device (or SFD) for direa and or indxrea attflrhmypt xo a UCDPS wher^ said SFD 

36 is any one or muh^iie hardware devices that may use any combinadon of software and or microcode and or any 

37 other method to provide a secure and seoct environment for processing infomiation and or storing information and 

38 that immdes the following: 

39 a) any one or mnltiplemediods and or apparatus diat: 
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1 se cnre ly decrypc and execute instructioarxs and or securely decrypt and process data that compties with pan or all if 

2 the reqnirenienis of reversing fmzctiGDal limitatiooos applied using the Oscar ntesfaod (described laterX ^d v 

3 reverses the fuoctionai liTniiarinn s applied using ifae Groover method (described later); and or reverses any crftier 

4 fiinctiGDal ItmiT a tlon s applying to a PSO. and or transfer into the SPD any part of one or multiple PSOs into the SPD 

5 that may be t^oessary to provide any of the functions required by said PSOs; and or access any part of osie or 

6 multiple PSOs that may be located external to the SPD in onler to provide any of the functitms leqaired by said 

7 PSOs; and or e :xamtne the generic and or distinct conditians of use linked to a particular PSO, and or determine a 

8 rcsponsetosaidccindidonsofiise; arid or respoiid to said conditions of use; 

9 andor 

10 b) may be embedded, m part or lA^te^ within the package of the system nucn)^^ 

11 be within any one or multipl e devices attarfipd directty and or indirecdy to the system microprocessQr and or the 

12 UCDPS, and may not disrupt the nonnal functions of the UCDPS and may in pan or whole be used as pan of an 

13 sqjplication that in pan or whole is dependent on oonnectiaQ to a distributed data processing system^ that may be cf 

14 any type, including local networks and or intranet (or similar) and or the Internet (or similar), and may benefit fiom 

15 cosmecdoQ to one or izuiltiple remote computers and or any mher devices to siixq>lify transmission of various 

16 infonnatioQ, however, said secure and secret processing functions, in pan or whole, are functional and or remain 

17 functional, when said UCDPS tbst has been provided with said secure and secret processing functicms, is used as a 

18 standalone unit indeperutendy of atmchmmt to remte devices, and said UCDPS may be switched on and off far 

19 variable periods of time and or moved to diffeiem locations and or reset as frequently as required, withotit affecting 

20 the functions that are provided to said UCDPS; 

21 andor 

22 c) provides an area of secure memory storage devices that is not practical to analyse; 

23 andor 

24 d) provides for partition of secure memory storage devices into one or multtpie secure system pgrr ftTi^niy and one or 

25 multiple us^ partitiosis whereby programs in system partitions may access nser partitions, however, a user partition 

26 may not access a system partition unless authorised, and or any particular user partition may not a cc ess any other 

27 user panitioii unless authorised; 

28 and .or 

29 e) may transfer part or all of pro t ect e d software objects and or any other software object from unsecure to secure 

30 locations fortgocps sin y and or transfer infonnaiion from a secme locatiop tn an rnisecnrB inca ti nn ; atvi nr 

31 f) may secmely decrypt pan or ail of decrypted parts of protected software objects and or any other encrypted 

32 Infui Illation within said secure locations; 

33 andor 

34 B)may ffocessim or aU of one or muMple protected figfawm in ■cprmry^ inrhiHmg pmr^^iy^g ofpanorall 

35 of that iufoii nation loaded in encrypted format and dfa y p iiB d: 

36 andor 

37 h) are programs and or data preprogrammed into the device and or transferred in encrypted format and or in dear 

38 code, that assist and or replace any other known software protection and or distribution systems that are dependent 

39 in pan or wboUc on user accessible software processes and or tmsecnre identifying ocxies to provide protection 

40 against unanthcHised use of softwae objects, when pan or all erf said user accessible software processes and or 
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1 unsecuxe idcotifyixig codes are transferred (eitfaer by preprograznmuig and or dynamically as lequired) to a secure 

2 locatioa that pexxnits pErivate pnx:essing of the iof onnatica; 

3 and or 

4 i) hanre tbc capacity lo detect wheto- part or all of said suitably configured protected software objects have been 

5 tampered with; 

6 and or; 

7 j) may perfonn secret eocrypdoo and or secret decryption in a mannfr thai cannot be analysed, and this may be a 

8 software and or hardware function; 

9 and or 

10 k) ha:ve the capadcy to implftinfnt in part or whole, one or multiple hardware devices in programmable logic, 

1 1 preferal^ programmable logic that may be reqmily erased in the event of t amp er in g, and this indudes encryption 

12 and or decryption functions Tmplnrmtfiri in part or whole in harciware, and hardware foncdoos implenoented in 

13 p to giaunm aible logic may be d ynamically p r ogramm ed by one or multiple protected software objects; 

14 and or 

15 1) may use any method io detennine that there is an attempt to gain access to secret information within the SFD, and 

16 said attempt may be physical and or logical analysis, and the response may be any acdon, u^g any method, 

1 7 including disabling, t emp or ari ly and or pemtatKntly, part or all of the SFD and or invalidating in any way part or all 

18 of the seoetiiiformatim that may be stored within secure memory storage device^ 

19 andor 

20 m) may securely store information in encrypted and or clear code format in locations inaccessible to unauthorised 

21 parties and or securely store infoimation in encrypted format in locations that may be accessiUe to tmauxhorised 

22 parties, and may detect tamp e rin g with stcsted infonnadon: 

23 and or 

24 n) may have the capacity to securely monitor tlie usage of protected software objects; 

25 andor 

26 o) may securely record the usage of said protected software objects and the reccvd may inrhKle a secure breakdown 

27 of the usage on a producer aiid or pnxiuct and or any other basis, and said record in part or wh^ 

28 andor 

29 p) may request and or ocm^el (this may inrlude tenqxararily of pemianendy disablmg pan at least of the SFD) ttte 

30 iserof the UCDPS to provide any necessary repom of usage tea senrice provider and or 

31 andor 

32 q)nmyconflzm that said reports have been received as required; 

33 andor 

34 r) does not require modification of the User Controlled Data ftpcessing System operating system; 

35 andor 

36 s) may not require special routines to intercept calls to said system operating system; 

37 andor 

38 t)may identify the type of protected software objea and aa as required; 

39 andor 

40 u) provides or have access to one or nmltQ3letaniperproof,non*volatile source 
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1 and or 

2 v) provides or have access to one OTflMltipiet auipap i o ^ 

3 and or 

4 w) provides one or mnitiple methods of identifving at least one tamperproof envimnment, tfris may tn^h ifff Thf ii sp cf 

5 an electronic signanne; 

6 and or 

7 x) provides one or mnitiple seoet codes and or { go g i aiu s that are imiquetQ a pm ^. t^rwnwpm 

8 across particular groups c^SFDs; 

9 andor 

10 y) provides oooe or nmhiple programs, that may be prqirogrammed (into the SPD) and cr tramsfexred Onto the SPD) 

11 as required, that use secret infonnation imique to ihe SPD to decrypt softwaxe objects; 

12 andor 

13 z) may process multipie protected saftware c^jects in a multitasidng environment, this may be transparent to ifae 

14 UCDPS operating system; 

15 andor 

16 aa) include functions* preferably implemented in reprogrammable secure memory* that may be edited and or 

17 modified and or deleted axui or expanded and (v in any other way aUered, in a secuie manner and usually 

18 transparently to the user of the UCDPS» enabling f^propnai^ 

19 the SPD for any purpose, inchzding: making multiple SPDs identical in pan at least (tnchiding multiple PCPUs m a 

20 ixmltiprocessor system); and or create one or imzlt^de applications not currently available to the SFD; arul or that 

21 pennits any current aqiplication to be dynamically adapted, inrJnriing dynamically reprogramming various hardware 

22 fnnctioos im plement ed in part or whole with reptogiaimn aMe logic connections; and or dynamically modifying 

23 decryption processes; 

24 andor 

25 ab) are programs and or data preprogranuned into the device and or transferred in encrypted format and or in clear 

26 code that assist any fimction described for the conea processing of protected softv^^ 

27 ando- 

28 ac) include secure memory that stOEtes various imemal system routines and may be loaded with externally supplied 

29 objects for decryption and or execution and or any other purpose; 

30 andor 

31 ^noaydedde to revcne one or iimltiple functional limitations on OTC 

32 use. where said decide is in pan at least autonomous to die SFD aad based in pan at least, en secure i^ t^ ^^^ tg 

33 internal and or external to the SPD of gemic infonnadon applicable to nmltiple FSOs, that may indude a plurality 

34 of any infonruuion states within and or external to the SFD, imduding one or muhiple elcoimic cxedils that is 

35 iiKxiified (directly or iiulirecdy) in response to use of PSOs on tiineasxl or events 

36 long as the requirements of one or nmltiple PSOs and or SPDs are conqdied with, the user of said UCDPS m^ be 

37 able to execute and OT process one or nmltiple PSOs on the sanw basis as if they were unprotected software objects; 
38 

39 ii)pPOvidmg a software bbjecc 
40 
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1 iii) tnodifyizig part car all of said software object soch that it is functionally limited to ran on only a UCDPS 

2 with a SFD and or equivalent and the functional linmation is by tte Oscar method as rtpffned below and or by die 

3 Groover method as defined below and or by any other method and said functional limitation may be of one or 

4 multiple essential parts of the software object, prefierably such that it is not practical to r^encrate the origmal 

5 software objea &om any pazts that are wt functionally limired, and said sKxlifying is preferably done at a secme 

6 location (also referenced as a service provider) that has access lo pan or all of secret information contained within 

7 the SFD andfor any particular functionally limited software d>ject the functional limitadon may only be revcned m 

8 a specific SFD with any unique duracteristics necessary to reverse the functional linutation, or die functional 

9 limitation may be revea:5ed on a |durality of SFDs characterised by common characteristics necessary co reverse the 
10 functianal limitation; and or 

11 

1 2 modifying part or aU of said software object, using any method, such that it is securely linked in part or wtele, using 

13 any method, to oaie or mu]ii{de concfitiom of use. also referenced as PCPU LadusioQ Conrminnris (or PICX that in 

14 part or mliole are tamperproof and that indude any code that direoly or indircctiy identifies the producer of the 

1 5 software object and or idfmtifies the software objea such that when an SFD interacts with the software objea it may 

16 record use of that particular software objea and or use of PSOs by a particular producer and or use on any other 

1 7 basis; in part or v^tole, «4iere the record of use in part or vi/boh is used in detetmiinng remmieranon to die producer 

18 and or any other parties; and or the conditions of use include any code that contains information wiacii may be used 

19 by the SFD to deteniune if the software object: 
20 

21 is pcrminwl to execute in part or whole on a units of time used basis, and if permitted, what &e should be applied 

22 to the tise of the software objea and said fee may be any imit of measurcmem and is preferably a generic units cf 

23 use basis and said gexieric units xiuiy be attribttted any real cnneiicy value at any s^ 

24 andor 

25 is inmittrd to cyenne in part or whole on an events occurring basis, for example the number of times one or 

26 multiple parts of the p ro giam are loaded and or fiiecutcd and or any other measurable events basis, and if permitted, 

27 what fee should be applied for the use of the software objea and said fee may be any uiut of n^asurement and is 

28 preferably a generic imits of use basis and said generic uitits may be atnibuted any real currency value at any stage; 

29 andor 

30 is pennitted to execute on an imlimitrd basis subjea to afee, and if permitted, what fee ^ouM be applied for the use 

31 of the software objea and said fee may be any unit of nttasurement and is preferably a generic units of use basis and 

32 saidgoiericunitsnEiaybeattributedanyrealcunency value at any stage; 

33 andor 

34 is ptnnTitfd to excctne on any type of limited basis subjea to a fee, and if pennitted, what fee should be applied for 

35 the use of the software objea and said fee may be any urut of measurement and is preferably a generic imits of use 

36 basisaiidsaidgcnericimiismay be attributed any real currency value at any stage; 

37 andor 

38 requires entry of one or nmltiple data keys of any type prior to initiating use of part or all of the software dbjsa for 

39 the first and or any other time on a particular SFD and may niclude wbeiher or not a fee is to be charged &r 

40 providing the data key; 
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1 and or 

2 reqoiresaziy other restxiouBis to be placed 

3 and 

4 any software object modified in pan or ixto 

5 said Oscar metbod. is any functional limiraTinn of pan or ail of a software dbjea by any method of encryption, 

6 usually at a secure location remote to ibe user, where pan (ff all of the reversal of the ezxaypced infonnatiai, by 

7 decxyption and or any other m pir hn d, occurs widiin a secure environmem (tiiectly and or mdirectly ?rtnrhf><j to a 

8 UCDPS such that pan or all of dse instructions and or data of the software objca recocsdnued by said reversal are 

9 not accessible to analysis by any miauthorised party and the execution of pan or aa of 

10 processmg (using any method) d pan or all of said data that is not accessible to analysis by an unauthorised party 

1 1 remains in pan or whole inacc e s sible to analysis by ai^ unaudiorised party. Hie result is that pan at least of the 

12 fi mctifmal limitation placed on a software objea is not compmi insed by the process of using said software object; 

13 said Groover method is any functional limitation of pan or all of a software objea by cteledon of pan (r all ctf the 

14 information within the software object, usually at a secure locmion remote to the user, where pan or all of the 

15 reversal of the deledon, by any method, occurs within a secure enviromttent directly and or indirectly snftf^^rff to a 

16 UCDPS such that pan or all of the instructions and or data of the softwarR ohjer^ T^yn^mfnitrd by said rrvmal are 

17 not accessible to analysis by any unauthorised party and the execution of pan or all of said insnuctions arxl or the 

18 processmg (using any method) of pan or all of said data diat is not accessible to analysis by an unauthorised petty 

19 remains in pan or ^ole inaccessible to analysis by az^ unauthorised party. Ibe result is that pan at least of the 

20 funcdcaoal limitadon placed on a software object is not c omprom ised by the process of using ga«1 software object; 
21 

22 iv) providing one or multiple PSOs oauo oonqnter*aocesable memory media or any suitable apparatus for 

23 elcctronkally transferring said PSOs to a potential user» and pieferably the oonditians of use attached to said one or 

24 multiple PSOs permit said PSOs to be used on a time or events used basis in a UCDPS suitably equx{^)ed with a 

25 SFD that has sufficient aforementioned units of measuremem stored within and or securely accessible; 
26 

27 v) shipping said one or itmltiple PSOs on rinffnpiti»r.>iyyy^^y]f memory media to a potential user and or 

28 electronkally transferring said one or muldple PSOs; 
29 

30 vi) loadmg said one or mnlriple PSOs into a UCDPR md fyfnifing f^^^^^ ^ conditicms of iisr, 
31 

32 vii) iK^iere required by the conditions of use or any other reason* a means for die user to: 

33 • request the supply of one or nmlriple units of measurement that may be required by the SFD for any purpose, 

34 and or 

35 • receive one or multiple said units of measuxemcnt, preferably in suitably encrypted format, that may use any 

36 me t ho d, arid traiisfer said miits of iiieastirementiiito die SPD^ and or 

37 • request the supply of ODe or rnultiple data keys that niay be required by the SFD, and or 

38 • receive one or mntfipl e data keys and transfer said data keys mro the SFD, i md or accessible to the SFD* ^^n^ 

39 any method, and or 
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1 • generate one or multiple Tcpans of software usage and or atiy other tnfonnatioa that nsay be iequired« and 

2 su{^y said repomtt) service provkler and (variyottiarexteniaik)c^ 

3 • receive one or multiple codes oonfinning that said leport has been reccived and supply said one or multiple 

4 codes CQOfinning into the SPD and or accessible to the SPD. and or 

5 • request the service provider and or any ocfaa authorised party for one or multiple codes that may be used to 

6 reactivate part or aU of the SH> thai may have been disabled for any reason 

7 • receive one or multiple codes to reactivate pan or all of the SPD that may have been di sabl ed for any reason and 

8 transfer said codes mto the SPD, and accessible to the SFD and 

9 for any of die preceding, the infonnatioa generated by the UCDPS and or received from the service provider is 

10 prefend)iy transferred eiectnaiically, however, any odier ccsnbinadon of methods may be used including mailing of 

1 1 computer-acces^ble memory media containing the inf dnnation. 
12 

13 

14 PREinEJtREDIMFLEMEOTATION OF THE INVENTION: 

15 To assist with tmderstanding the invention, reference will ru>w be made to the accompanying drawings which show 

16 one examph^ of the invention. In the drawings, Hgure 1 shows an apparatus that is suitable for use as a secret 

17 processing ctevice embedded within the system nucnyoccssar. 
18 

19 Throughout diis description and the wmmpmiying drawmgs, many signal lines are lepte& c nt ed by a single Ime and 

20 an identifying synobol. This may lepies ent any nnmber of signals, for example, a certain logic function output may 

21 dodc, clear and set a flip flop, however, usually only one signal line will be shown to rqpresent all three, in the case 

22 of variom buses, the lines represem^iAiatevertitmiber of signals constitu^ 

23 relevantfor the logic fixnctions it may be entering or leaving. Many control lines are not described or shown in this 

24 descripdcai as it will be obvious to anyone experienced in the art, where, when, and how, they should be used in 

25 order to make ftmctionai any apparatus described; descr^nions are detailed when needed to help clarify die 

26 implementauon of any particular functioiL Throughout this descrxpticHi, the polarity of signals is usually immaterial 

27 and not discussed uziless of specific consequence; it wiU be whatever is requ^^ 

28 invenrion. When a latch or other device is set or cleared the altemative arrangement is allowed for. While a latch or 

29 register is a conmnonly used storage device in pam of this description, it inay be 

30 combination of logic aiui or software aiid or inicrocodefltat results m 

31 The invenrion describes: 

32 1. a medKxi of revecsibly functionally Imdring a software object dial requires a secret processix^ device (or SFD) to 

33 reverse part or all of the functions of the reversible functional limitations and preferably indudes a nttthod cf 

34 securely linking the conditions of use that apply to a particular reversibly functionally limited software objea to said 

35 revembly fimcrionnlly limited software object such that this infonnation mi^ be used in part or whole to detennine 

36 ix^iher to peniut the SFD u> revese die revenribly funcrianally limiied software objecL The coixlitiCBB of use are 

37 preferably an integral part of the reveisibly functionally limited software cbjea and or scqiplied as one or nm l tiplr 

38 other modules that are linked in a manm that prevents the unanthnrised sepaiation cf cnnrilriofw of use and 

39 reveisibly functionally limited software c^jeci. This produces a protected software objea (or PSO) lAadi may be 

40 distributed to a potential user atKi loaded onto a UCDPS and aichides instructions to die SFD on how it may be 
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1 dismbuied id a poiexaial user and loaded «hiio a UCX^PS and includes insmictions lo the SPD on how it be 

2 used. Tliispennits objects to be widely distributed an^ 

3 required lo reverse, m part at leasts the revOT^ 

4 OTUiidansofuse may also be supplied in aiqro^ 

5 linked, into an SPD nansparently to the cpciati^ 
6 

7 WhenaPSOissccurelylinkedwithconditionscrfuseUmay bensedonaUm 

8 aiiycxiraimenrcmionby the user than would nonnany be requi^ 

9 objectfonai, wiih the exception of any requirements thai the SPD requ^ 
10 

11 2. an ^^pararns referenced as an SPD thm has various secure systm 

12 onecMrmultqderevcrsiblyfractionattylhniiedsof^^ 

13 indudes an interaal secure and secret operadng system ref^ 

14 way required to appropriately reverse m part a* whcile. reversibly functionally limited software objects. Tlic secure 

15 functions of the SPD may have other applicadoos. 
16 

17 The preferred embodiment of an STO is mcluded within the package of the system microprocesson such a 

18 ctHnbinationmayberefcnredioasaprotectedCTO(orPC^ 

19 the UCDPS external to die package of the system microprocessor, this is rcfexen^l as an ESPD. A PCPU may 

20 inchidcnmltiple system microproccssTO-Ttec may be mul^ 

21 ESPDs within a Ua3PS. Multiple SPDs in any location m^ini^ 

22 or not a alL Hxc embodiment of a system microproccssOT u> inqtoncm the apparatus of the invendm is 

23 pr edominantl y dependem mtbe use cf secure memogy storage devices of various types and an abiHty g> securely 

24 I^ocessinforaiarion within these devices and a pcrsmejqm 

25 and micn)code in many combinations to cffea versioiB of an SPD and PSO diat are widiin the spirit of the 

26 invention. This airangemem penmits the secure functions required d the jrcsem invention to be impi^^m^mfiirf a 

27 person knowicdgable in the art wiU ^jpredaie thm the secure proce^ 

28 other secure appUcations.Tlie known an does mt describe a system nticropn^ 

29 that pnyvkies the secure processing fimctions described in to 

30 miuijpiuaaiisor that provides the apparanis and or functions described m thg ajyiTrgnion 
31 

32 Figure 1 shows a Mode diagram trf a system micropn)cessQf that may mfmn.mt r-ym oH^h ^ sgnro miciopioimar 

33 iliat is secundy linked to one crnmltiplc secure fwK^^ 

34 secure functions. When the secure memory is prognnnmed with ^qipropriate information, the «vmhtn«rinn 

35 software routines and embedded hardware fractions and changes to d^ 

36 P«>vktes aU ctf the requirements of an SPD securely cnabedded wi to 

37 device inay be used ID r^)lacc die existing system inicrtqxroce^ 

38 any infdnnation required to ineei die conditions erf use anaci^ 

39 nannal software objecL it wiU be appredaied by diosco 

40 logic, software and microcode to tinplemem the device as described. 
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2 Figure 1 stx>ws tte sUicm dxip 130 of the system micropnx^essor 1. The system mioDprocesstr I zsomially 

3 fmrafaces with external locations via an ackbess bos 5 and address bofios 2 and data bus 6 and data buffers 3 and 

4 various comrQl logic 7 via buffen 4. Buffers X 3 and 4 are enabled/disabled during normal ]vocessing by system 

5 micrG|irocessor 1 via control line 9. Instmctioos are interpveted and nnnpiyffyf»pt^ ]jy a combinaiion of microcode 

6 and logical devices widixn the instrucnoQ execution bk>ck 8, located wi 1. The sqjpaiatns 

7 of tbe inventian needs to communicate with the system microprocessor 1 and this is most readily in^lememed with 

8 dual port memory 19, a memory that allows read and write accesses by two devices to tbe same addresses aa an 

9 asynchrosious basis. There are mai^ ways of achieving an eqnivalem result As described in diis gm bftrfiTnmf the 

10 DP memory 19 is not jmended to store secure mfonnation; it is functioning as a port between unsecure and secure 

1 1 processes aixi it is not practical for an unauthorised person to access secure information widiout very ccsnidex codes. 

12 The inventian allows for the recortiing' of huled attempts at access and may disable itself to prevem repeated 

13 attempts to couipiomise secure elements. 
14 

1 5 The system microprocesscnr side of the DP memory 90 may be decoded into the normal address space of the UCDPS • 

16 using any known decoding s^jparams. however, tbe preferred method is to make the addresses oca^ed by tbe 90 

17 side of the dual port memory 19 a sqntrate address space to tbe UCDPS. This is done by providmg an instruction, 

18 referenced as a transparem address activator or TAA, that, depending on the anached opcode, 

19 fiinctians. 
20 

21 The primary interactian of the system nuczoprocessor 1 to dual port msxaary 19 will be to read and write data 

22 between UCDPS addresses and dual port memory 19 for transfer into secure functions 50 by the secure 

23 microprocessor 20 and tbe reverse. There may also be a requirement to transfer data tan one location to snoto 

24 within the dual port memory 19. The address space occupied by the dual port mcmOTy may be any praaical amount. 

25 Reset of the system mictopFOcessor 1 initialises nomml address decoding, with the dual port xrffimory 19 

26 inaccessible by the system microprocessor 1. 
27 

28 The execution of a TAA instructiao, wi th f or exam{He X as the opcode, and die combination referenced as TAAX, is 

29 carried out if the system miciDprocessor 1 warus to move information tan UCDPS memory to dual port memory 

30 19, m ^Hixich case buffen 2, 3, 4 woukl be activated by 9 reads tan any address 

31 a write operation the address decoder enable signal 11 is active, enabling the address decoder 10 to decode a 

32 predetermined address block (tiiat inay be made progranunable) of dual port memory 19 using diip select 13, that 

33 also keeps tbe buffen 2, 3, 4 disabled by blocking any enabling effea of 9 via lo^ gate 14. Data is read tan 

34 UCDreiiieniory space aiid written to dual port iriemory 19. histnictionTAAYperfa^^ 11 

35 during read operations, instmcticm TAAZ activates 11 £or reading and writing. TAAB disables 11 for all readmg 

36 and writing, the nomial situation. The TAA instruction only affects oper ation s that are fetching data, ix>t 

37 iftstructicms, and most system nndoprocessm have a agnal to disringtiish between the two. An instruction 

38 referenced as the TBAX instruction may be used to activate insnuctimi fetches tan dual port memory 19, by 

39 activating 11 during irstruction fetches and may be disabled by the TBAY tnsnruction. Instnunians are read 

40 operations. TAA and TB A instructions may be used in atxy oothbination. A reset has the same effect as TAAB &, 
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1 TB A Y, ensuring nonnal processing <m startup. While TB AX is active* instruction fetches from atklrcsses outside the 

2 dual port memory 19 are from UCDPS memory, A watchdog counter or timer may sa, imri thi^ m*y ^ jnumnOTf r 

3 to perfcnn an autnmaric TB AY instruction or any ahcr method to avoid trapping the system mictt^soccssor in ffti pi 

4 port memory 19. 
5 

6 This m^sod and apparatus provides a novel traxv^sarcnt method d mrindiTig ooe or mxii?tpie devices within a 

7 system microprocessor without potentially conflicting with exisdng resources in a UCDPS and has multiple 

8 q;yplicanGsis to the art of system micnsprocesscv design. To avoid problems with mtem^ directing processing to 

9 another routine that expects a luxmal envinsmient, interrupts are inhibited by TAA and TBA Instiuctioa. An 

10 altemative allows for similar instructions that do mn mhibit intexnipts* allowing tise smerrupt handler and or task 

11 switcdier to handle the situation* in which case the TAA and TAB instructions are disabled by an mtcmxpt and a 

12 leconi of their stams is stored ma loc^cn, eg. a special register, acce^ 
13 

14 Secure processing is provided by including a second miaDprocessor 20 within 130 that may read and write to 

15 addresses within the secure address map 50 without being available to external analysis. Secure address block 50 is 

16 pred ominant ly memcHy, divided imo a small mourn of mask ROM 51 to initially p r ogtam the other tnfonnadon 

17 into the device, flash memory 52 for stosage of infonnatioo that nceite to remain in the device in the event of total 

18 power loss, and battery backed static mcmoiy 53, diat stores important infonnation which may be r^dly erased in 

19 the cvem of tampering. Ihe microprocessor 20 a HnHHMiicme s widi the secure memciy 50 via address lines 84. data 

20 lines 100, and <Hher various contn>l lines inchiding read write 93. Also decoded 

21 a banery bac ke d realtime dock and or calendar 89 that cannot be tampered with and a crystal. A data encrypticm 

22 standard engine is preferably inch id e d. Decoding of secure addresses is provided by decode togic 25 and the various 

23 c±ipselea signal are output on 83 to the various secure devices. The power inanagemem kigic 65 receives external 

24 power on 60 ami banery power on 87 from (prefer^ rechargeable) battery 70. An A/D converter 75 mosmcrs 

25 ventage. Continuotts power is sui^alied to 50 via 87. Power matiagemcm 65 may also be used for any ^^Mitinn^ ] 

26 voltages to flash memory 52, other battery backed k>gic and provides recharging power to the intemal battery 70. 

27 Ihe miooprocesor 20 communicates with the system micxoprocessor 1 via a dual poit memory 19. The 

28 micrupiocessor 20 side 91 of dual pert memory 19 is decoded by 25 via 40. Data lines 22, address lines 21 and read 

29 write 23 connect with 19 to allow reads and writes of infonnanon between microprocessor 20 and port memory 

30 19. A similar mediod allows the system miaupiocessor to cnni»iiinif^T #> with dual port memory via chip sdect 13 

31 from its decode logic 10 and address Imes 14 and dm 6. The decode circuit 10 uses high csder address lines 12 and 

32 control Imes 32 (e.g.valid address) and 11 (activated by TAA, TBA). This provides a n^thod of transferring 

33 information to and from extennal locations to dual port memory 19 that may be read and written by ndcn^srocessor 

34 20. No user supplied program can accgss the informatkxi m secure nKmory without access to tis secret codes 

35 required, and t he se may be made as complex as secure memory resources allow. 
36 

37 It is preferable that the secure microprocessor indsdes a direct memory access (DMA) fiscility to move bkxto <f 

38 information from UCDPS memory directly into secure memory locations and or from secure memory to wttgrngt 

39 locations. This may actually improve tte efficiency of the original system microprocessor, permitting it to perfonn 

40 other tasks wliile a block of hxfonnadtm is securely processed in internal memory. Access to this DMA frtdlity 
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1 should be decoded into the secare function address block and shaald mly be able to be selcaed by an mstnxcticm 

2 originatmg within secure system fixnctions (as described later). Any possibility of an extexnal progiam and or a 

3 program e xrc or mg in a user partition hacving tmsupervised access to the DMA rnrny^^fr 125 that may be 

4 programmed to move a large blodc of system xnformadon to extenial locadons would be disasterous. 
5 

6 Themicroiirocessor 20 would usually program the DMA comiDller 125 via data bus 100 md chip griftrt 1^7 imH 

7 readAvrite 102, using a routine known to have originated within one or mult^le predetermined system functions. 

8 The details of fn c hirimg a DMA comroUer 125 are not described or shown. The method involves multiplexing the 

9 address 5, data 6 and control lines 7 of the system microprocessor 1, with similar signals gmpn^rrd by the DMA 

10 controller 125 to read or write external locations and multiplexing of the address, and cootrd lines of 

11 miaopTDcessor 20 to read aiKl write secure addresses. Utese methods arc known to the an azsdL >w^gA (be DMA 

12 camroller is within die system nucropiocessQr chip, arbitration logic between system microprocessor 1 and DMA 

13 controller 125 would be easier to implement at a logical level than for external DMA controllers. This type of DMA 

14 is tran^sarent to exteanal devices. 
15 

16 The invention also allows that the nriaoprocesscMr 20 tnav be a duplicate of the system rmaapmcMum \ jyrw nrting a 

17 very powerful processing system, allowing secure and unsecuie execution to proceed OKicurremly. Aitottier 

18 attractive Cfptkm is to use two difEexent system microprocessors c.g. an huel type of CPU and a Motorola type of 

19 CPU. These niay be imiMplexed by one experienced in die art such thm one system xniczoi^^ 

20 system functions while the other provides secret processing of various functions. An electronic switch, that mi^ be 

21 activated in any way, eg. hold reset low, may switch the roles. The secure functions may be diiplicjited, in part or 

22 whole, or each may have its own secure functions that are inactivated when a system microprocessor becomes the 

23 unsecure processor. A switch from secure processing to imsecuxe processing preferably ensures that any potentiaUy 

24 secret infonnation is flushed firom CPU registers and any other locations that may becon^ accessible to extenial 

25 analysis in the unsecure state. AH secure functions would usually be inaccessible to the system micxoprocessor in 

26 unsecure mode. A person knowledgable in the art should be able to design such an embodiment that performs to the 

27 requirements of the inveiuioa. This provkles a oonveniem means of providing an existing UCDPS with a means of 

28 iiuegrating two dffieicnt UCDPSs into one. Of course tins scenario nught be wg umf^i^ to any mmiber id system 

29 microprocessors within the one package. When multiple system microprocessois are iwiitrtfrf in the one package, 

30 the one that is nonnallv associated with the resident operating gygtem mwi pmphprai m^^ tm^x «i ^ is 

3 1 referenced in this application as the Host CPU. Any other system microprocessors are refereixed as a Grafted CPU. 

32 hk> changes would usually be required to any software to operate the Host CPU, however, <ttfaer support may be 

33 required to sinnilat e the correct eztviromnent far a Grafted CPU and one solution may be to im^ii vfg a programmable 

34 address trap for the grafted system microprocessoT that detects all accesses to rcsomres that need emulation, 
35 

36 It will be appreciated by those experienced in the art that the embodiment described with mfia w^- lo Hgure 1 may 

37 be readily trmisfened to a location external to the system micxoprocessor by providing a secure p fy^f«g^ and 

38 i rplaring the tranqnitnt address space of the version within the PCPU with an appropriate address witfahi die 

39 UCDPS address space. 
40 
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1 A basic cxnbodiznem of an SPD far use external to the system mici Dp io cc ssq- is described with tcfocace to Figure 2 

2 of tbe drawings showing a iHiiitedcroiitboam 700 to 

3 bus expansion of a UCDPS 720 via the gold fingers 701 on the primed drcnii board 700. Mourned onto PCB 700 

4 are an address decodar 702 lo receive address signals from the addTKs bm 

5 lines 722 that it uses lo decode the UODPS side of the dual pcHtmcrn^ 

6 address map of the UCDPS using chip select line 712, The lower enter address lines 723 rfifae IimPig tn^mhRr 

7 with UCDPS data bus signals 724 and a read/write signal 725 pa^ firan the UCDPS bus via bufiFer 703 to the 

8 UCDPS side of the dual port memoiy 704 via signal lines 713.The pan of 703 tiiat buffers the data lines is 

9 bxdirecdonal. A zmaoprocessor 707 hndudes two interrupt lines 730 and 731 a^ and 

10 a valid address signal 733 and a bidirectional data bus 715 and a read/write line 732 and mtemai programmable 

11 non-voladle menwary 708 (c-g. flash nwrnOTy) arid a boot row 

12 708. Astatic RAM chip 709 is connected to miuo p ioce ss cg 707 low onier address lines of addrcM hnie 7M anrt 

13 data bus 715 and read/write line 732. Static RAM 709 is acnmed^ 

14 decoder 705 decodiiig the high order address lines on ttldrBSS bus 714 in conjunction^ address signal 733, 

15 When static RAM 709 is selected the microfaDcesor 707 may read and write date to and from 709. The 

16 nucropnxxsor 707 side of the dual poniricnHHy 704 is attached dirccdyt^ 

17 732 and low order address Imcs of address bus 714. Ihc micniprocessOT 707 rfde of the dual pat memory is 

18 activated f(ff read ami write operations by <±ipselea 750 generated by ad^ 

19 lines on the address bus 714 and the vaUd address signal 733, A rechargeable halteiy 710 is included proviifing 

20 backup power via 711 to the inicroproccssor 707 and the static men^ 

21 an active UCDPS. the battery 710 is recharged from the system power siqjply. Micros 

22 line 730 causizKg an interrupt ^*cn the tamperproof enclosure 716 is disrupted. The tamperproof housing 716 

23 securely encloses 710, 707, 709» 705. 704. 71Z and aU signal Imes that may provide useful informatian. hnenupt 

24 line 731 causes an interrupt to 707 wira the address decoder 702 decodes any ackkessw 

25 inriicatrng that die external system mianprnrwgw i< f»rr>j>s^£ thr df^^ and That actian may be required by 

26 miuii^^ijcessor 707. The microprocessor 707 is ncamally in low power sleep nxxte. If awakened by interrupt 730 it 

27 immrrtiarcl y sequentially erases the vahics stored withm SRAM 709 using a routine pte^ttogiamnt ed mto 707 prior 

28 to enclosure m 716. Jf awaicened by 732 it oontinnes processmg as required. The SPD as described m^ be 

29 integrated irito a single chip. A person experienced in die art wotiM be able to ad£^ 

30 any suitable non-bus interface. A suitable locadon may be the parallel port on a shared basis with die printer; die 

31 known art for odiff types (rf software protection devices describes such a shared wTrrfiKy The inclusion of a 

32 cryptoeogme inqjlcinemcd in hantware would enhance decryptim processes dm arc 

33 versatile funcdons provided by an SPD. 
34 

35 Figure 3 shows a block diagram of die address map for secure functions widun die system micxoprocessor 

36 packago^ 130 of Rgnre 1. These secure funcdms may only be addressed by die secure nucmprocesscv 20 and 

37 may not be a ccess e d by external programs other dun said external prograns providing mfonnatimi that is usually 

38 subject to validity checks and decryption before acceptance by die secure nri c roproccaaor 20 for further processing. 

39 The address decoder 25 decodes a battery backed real time dock calendar 89 with chip seiea 140. DMA controller 

40 125 widi chip sdea 142, Data Encrypdon Standard Engine 135 widi dhip selea 143, and if die DES engine is 
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1 consmicted in part or whole ton programmable logic devices dscferably SRAM, ihar may be bancry ^a ^Vft ^ if 

2 non-volatility is required) that are dynanricafly programmed as required, these devices are sdeaed by selca line 

3 141, tan^ detea 80 (prcfer^ly induding a continually powered sinq)lc microcootroMcr to provide cominnoas 

4 security mwiitarixxg) selected by 144, AAJcoiivciier 75 by seleal^ 

5 preceding devices would nsuaUy have fixed kxations in the m^^ 

6 the diip selects 140,141,142,143,144.145,146. and any other additional selea Unes that may be WyiD^ access 

7 other secure devices, niay<mly be selected if teinstniction that output 

8 dap selects originates from within a memory location in the secure system memory 147, protecting die security of 

9 this area from non-system (user) programs -usuaUy user application pro 

10 first address of an mstiucncm and compare it with an address Wock that defines 

11 memory 147> This address block is preferaMv nro ai a mm able to allow the siTg nf sftrim vyKtt^ m#>tTtn>y \^ varied, 

12 however, there wiD be a known default en reset of the secure microiHOccssor 20. As an added precaution it is 

13 inferable to latch the first address of the preceding instruction and do a similar con^Kiriscm. This requires any 

14 instruction that attempts access to secure fimctions m this part of the address m^ to have originated in secure 

15 system meinory and tl»imiructionpnor to it must also have origmaiedi^ 

16 a piogiiki^ that may be executing withm a secure user partition from acdctentally or deliberately ioadmg the program 

17 counter of the secure znicxoprocessor 20 with a value pointing to a secure function with unpredictable results. The 

18 address of tiie first instruction inay be detennined by inchidmg in the xnicToco^ 

19 generation of a signal to uxlicate that it is the first address of the mstrucrion (this may aheady be the case). The 

20 program counter contenis may also be latched. Chip seiea 147 from decoder 25 delineates the block of mcnwry 

2 1 allocated to secure system functions. When the secure miaoprocessor 20 is reset it jun^ to an m^^^^1i^^ rion routine 

22 m this memory. The size of dus memory is preferably variable to accommodate changing dzcumstances. This is 

23 ttsuaUy done by prograinmaUe boundary registers 160, that are sdected by dsq^ 

24 fixed at the top of the available address space. The progr amme d vahie of 160 is supplied to address decode 25 and 

25 prarvided to its address conqxarators. These methods are well known to the art. Chip select 161 preferably requires 

26 the same precautions as reganls(±eckmg the ongin of the imuiiction as described for 14^^ 142, etc Chip selea 147 

27 decodes the secure system memory. This prefczably has die same requirements for two gftgiifn^^i instructions to 

28 have originated in secure system memory addresses in order to be decoded. An exception is reset or an imcinipt that 

29 rcsa the latches that store the addresses of the two relevant instruction addresses to values that are within the secure 

30 system memory. This enables the secure microprocessor 20 to read mfonnation from its mtcrrupt handlers, Tlus also 

31 pnmdes a mediod for a user routine to transfer procesang back to system memory in a conot^ed way. A user 

32 function may write to an addressable location that generates a user imeimpt 180; die system functions may then 

33 hueract in any predetermined manner to meet the requirements of the user function. The balance of the secure 

34 memory is a l lo cat e d to various user functions. In a multitasking UCDPS, this is preferably partiticmed mto multiple 

35 user pAiliiians. The ptefeiied method is to have one or mnltipie sets of Mtdiess hoamfary TRgisn^rg 1 7n, rhat may miy 

36 be programmed by secure system functions decodn^ selea 171, with the value programmed into 1 70 feeding back 

37 to the decode togic 25 to define the current user partition, that is decoded widi (iap selea 148. This permits the 

38 availahle user partitiocis to be divided on a totally flexible basis as required. When processing transfers from one 

39 user itebi i i i on to anotlier, the secure system functions reprogram the aj^xropriate values. When processing is 

40 cransfexred to a user partition ix> addresses are decoded outside this partition to prevent a user function 
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1 compraiiismg the system partition or an^^ 

2 to an acldiessomside the user panitian.Uwm not be decoded In case of a 

3 crash widunooe of the user partiticis a watchdog timer m 

4 predetammed period. Tliis is preferably a programmable period that may also be used to task switch secure 

5 processes in a nuilrimskin g cnvironuieDL Prior to transfening processing to the user partition, the secure 

6 microprocessor 20 registers are preferably stacked and deared of sensitive infonnatum and or the registers are 

7 tiaplicated. The dual port DOTiory is decoded by chip sd« 

8 least cm mieriupc 195 to the system microprocessar that directs the system 

9 dual pon mcmoiy and or any suitable location. Tliis location is preferably read only to tte system microprocessor 

10 and may be read and written by the secure nucropfOcessOT 20. This ratcrttqjt may bypass any nonnal imermpts 

11 generated by the UCDPS to the system mi c tDpio cc aaor and be processed transparently to the operating system. See 

12 known art US Patent 5274834. It may bfc used for any reason in particular to direa the system microprocessor to 

13 pcrfonn various functions witiun the UCDPS transparentiy to tl^ UCDPS operating system. An interrupt may also 

14 be generated by the system micri^Hoccssor to the secure tniaoproccssor 20. fi^^ 

15 20 are preferably specific to a particular somcewitiisufBcicmimeriupi lines to h^ 
16 

17 Within the secure system memory is an area of masked ROM 51 that is usuaUy a fixed amount, usually a fixed 

18 amoum of flash tiffimory 52 fcr storing informatim that survives total loss 

19 ofbaoery backed static metnory 53 that securely stores secret system prograim and data. 

20 lost in pan cr whole, doe to flc d dmr a l reasons, eg. a flat battery (preferably rechargeable), or by activation ofonecr 

21 mailtiple tan^ detect systems and or faihirc to comply with ttie comtitians attadied lo using the SPD and or any 

22 other reason. System memory and user nxemory 54 is described later. Part at least of 53 an^^ 

23 by dynamic memory to provide greater memory density. This may particularly a^jply to secure system fimctifms 

24 loaded from external sources as required, and user fioK^tions loaded as ^ 

25 external infomiation ttansfexied as req[uired. 
26 

27 Secure System Fimctiniw; 

28 The. system memory of an SPD must be preprogi a i mnc d with certain key programs and data pri<y to shippitig to a 

29 user (usually as part <tf^ a UCDPS). This diould be done in a secure envirtHmicnt, using secure metiwds, and is 

30 preferably completed during the manufacturing proces s . The service provider keqps a record of part at least of the 

31 infomiatioo within each SPD. Ocffie this key mformation is prc>gramnKd into the system xnemory,an^ 

32 programs and or data may be suitably encrypted by the service provider and transfened to a user's SPD (usually 

33 while withm dicir UCDPS) using mediods tiiat maintain tfce security of the information. The atiiably encrypted 

34 information is progranmied into the system and or user nraaory of th^ 

35 m many cases this will be a tran^mrem, dynamic process that occurs during the execution of various /y« T*n Tfr 

36 programs, particularly PSOs. This inethodaUowsahnost any type of additionally^ 

37 stored within the system memory, and or allows various programs to be loaded to update and or modify existing 

38 system fimcnnns and or any other transfer of mfnrm^fffi f<y giyir^tSQ^ 
39 
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1 Scone system functians are those fuzxctiatis applicable to the correa operation of the SFD and the pnmskm o£ 

2 required resources to multiple secure ttser functions. Secuze user fuDctioos are those applicable to ooe or wmttipl g 

3 PSO loaded into mexsory of the UCDPS that requires the SPD and system fumrtions within the SFD for its correa 

4 operatiOQ. Secme user functians are usually an int^ral part of, or integrally Hnirt^H with, a particular PSD and 

5 loaded into the SFD as required. A PSO that is supplied by the service pnsvider to securely update secure system 

6 fimctions would usually act as a secure user function, although its effect is directed at secure system fimctioos. 
7 

8 The prefened SFD consists of die following: 
9 

10 1. It provides a tampcipixK rf cnviranment ^i^iich is not practical for an txnaudiodsed party to pj^n^^ A for soiy reason 

11 innhiding attempts at analysing or tampering with one eg nmltiple secret processes that may he nccnrring w tthm y^i^ 

12 tampeiproof cnviromnent. This lampaproof environment may use a oxnbinanoa of secure j^^^ Z i uong any 

1 3 known art to monitor tte maintmance of the iiuegrity of said secure packaging, together with a method of rapidly 

14 invalidating the contents should inteffierence with die padcage be detectPd. As tt» preficned ^wihry^m fnT of die 

15 invention stores secret informaticm indq)endcmly of \(4sether or not the UCDPS is active, part or all of die tamper 

16 detea and data invalidating methods preferably remain active on a ^oritirmi^i basis. The pr efciied method is to have 

17 tbc secure microprocessor 20 (Fig 1) and or a nncroprocessor integrated into tanqier detea 80 (Fig IX continually 

18 powered and periocfically awakened ton a low power sleep mode to perfonn one or multiple houskeqang 

19 functions, including monitaring and or activating various intruder detect processes. 
20 

21 Secret information that may compromise die secure nature of multiple other SFDs is paneferably stored in battery 

22 backed Static RAM (SRAM)> a storage meditmi that may be rspdly invalidated by removal of power and or by a 

23 specially created subroutine that cycles dxroogh the memory diangtng values and or a specially designed cascade 

24 system that triggers automatic invalidations of static memory sorBge elements as is known to the art (refiEreQce 

25 Dallas Semiconductors Secure Mioocomroiiers). The invention allows for any known method and apparatus cf 

26 detecting physical tampering with the SFD and allows for any method and apparatus of invalidating secret 

27 infomcmtion in any type of memory storage device. 
28 

29 Secret infcnnaiion that is only likely to c o i n[ i imii se the security of a particular SFD may be stored in SRAM, 

30 however, information that should survive invalidatioo cf die informatioa widiin SRAM is prefiErably stored in non- 

3 1 volatile locaticms. When this information needs lo be p ro gia i n i n ed and or reprogrammed dynamically in die noonal 

32 courseof operation of die SPD, it is preferable to use flash iiiemory or an equxv^ 

33 require alteration after initial programming it may use any type of XKm-v«datile memory stovage device. 
34 

35 Monnation not requiring secrecy (as far as practical) and that is consistem across multiple SFDs is preferably 

36 imptrmented in mask ROM during die msni£BCtuxe of the SFD. This usually tnpin dfs initialisatian routines to 

37 program odier infcmnation huo the SFD. When constructing an SFD diat is not widun die system CPU, die CPU 

38 chosen fog die SFD will usually already have a boot or Tnitialimtion routine embedded within. Time experienced in 

39 die art will appreciate that information stored as soasked ROM inside an integrated dxcait (IQ package may be 

40 analysed, however, this is usually with great difficulty. 
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1 

2 Whoe certain nziiqae feamres are xcquired in each SFD at the tm^. of mannfactuKe secrecy (as fiar as practical) 

3 is not e ss e ntial, they are preferably tnTplemented by laser pro gramm ing of masiced rf^mifitg Hus usually s^iplics to 

4 (H2e or multiple passwiHds that are sqpplicable to a pamcolar SFD. 
5 

6 The secret processing device (SPD) is a device that is not pracucal to tamper with. This device ccotains various 

7 secure functions that may pofonn useful fimctions for suitably config u red software objects* It also provides various 

8 secure functions that permit a provider of protected software objects^ refetred to as service provider, to create an 

9 efTective method of renting software to users. A number of alteniattve metftKxls <rf securely distributing software are 

10 discussed. The method is secure fiom perspective of the producer of the software object and provides a 

1 1 converueot means for apotential user to have access to a large amount of software that they only pay for they use. 
12 

13 Ihe invention allows that attempts may be made to physically tamper with the SPD. This may be for any reason, 

14 including the u Tunuhori sed extraction of secure infmnatkm tan the SFD. Secure system tamper detea functtons, 

15 using any method and s^yparatus, may be used to detea tanq>enng and or to take dxrca (that preferably tiv^i»^^ 

16 immediately erasing and or altering infonnatian within part or all secure storage devices) and or indirect (e.g. via 

17 error functions) action m the event of tampering. Pan of the tamper detea ftmcticnis allow for any method and 
IS ^jparatus, rcfetersced as secure system contiimity fimctions to coafiim that one or multiple ctf any tsaopapm^ 

19 TTifThaniigns remain intact. One method is to include bidirectional logic at each oul (or any other location) of the 

20 various signal lines to c he c k for continuity of signal traces and or fumrtioning of mn r>y^l logic elements in those 

21 instances wtm the normal function does not permit this. This bidirectional logic is usually connected* cfirectly arul 

22 or indirectly* to addressable dements under the control of suitable software routines. Ihe invcxuion also allows for 

23 any method and apparatus to detea loss of dock to the lealtime clock/calendar and or any one or multiple other 

24 clodced el ements , mduding routines dtat periocfically read ttese rf^vjrfd devices (directly and or indirectly) to 

25 exttore thm there are the e3q>ectediiscrBzneDtaldiaQges secondary to an a 

26 the tmxper detect mecharusms remain functional when the system power stxpply is removed. This may "«^1 w<r ^idng 

27 battery power to maintain one or nmltiple microprocessors within the device in an operadonal mode, yn abl^g them 

28 to ryfcntr various system functions. Loss of battery voltage below a predetermined tfaresiu>ld (as detected by an 

29 integrated AJD converter) naav trigger the erasure of part or all secure riemenLfL it « prrfmhiP. thyt an mrfppw> ^ Ti y 

30 timed function is implemented (e.g. RC network) iStsat must be periodically rcfireslttd by one or multiple 

31 micrt^TOcessors, This confirms the presence of an aaive GPU and faihm to peaTodi caiiy Ygfrgsch tWjc fmcttnn 

32 usually cause a default erasure and or alteration of secure storage elements. 
33 

34 Ihenn^entumaUowsthatvariousenissandorvalidity &ilures andor^ 

35 may be recorded by seciue system error mcnitonng routines (usually implemexued within secure system memory). 

36 These tiiayperfbnn any ftmctioDS. that xnaymchide: 

37 recor din g ^^hawrpfl^ evcxus; gi^y or 

38 in response tt> a predetennined rmmber and or types of ahmwrnt^i events (and or any other reason) tfiw> one or 

39 multiple actions (that may be any action, induding calling other funcdons to partially or totally disable the device); 

40 andor 
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1 return processing to the system CPU (with or without enrrrepcning}. 
2 

3 There may be a requirement to disable part or all of the SPD and oar part cr all of other appgranw that thp. RPp may 

4 be integrated within (e.g. system CPU). The fonctians to pofonn this are ref e na ced as secure system disable 

5 functicxis and they may be implemented using any method and apparatus, including: 

6 dse generation of various clodcs (and or any ocfaer meaningful signals) that nigger Tnwnftftifttf erasure of volatile 

7 elements; and or 

8 settingfcleanng of flags (preferably in non-vcriatile locatums) that may be read by various other functions that will 

9 not conrinne (and or any other outcome) in tiie event of an unaccqitaible value wifliin aflag. 
10 

11 Tbe invendon also allows for azxymetiuxi and apparatus thatinayteiriporarilyp 

12 disable functions- This ms^ be for any reasoru however* the primary one is to stop irodveitent triggering of these 

13 functions during software developmou. The invention allows for any method and apparatus that p r ev e ms 

14 infringement of system security v/hen the disable functions are in part or whole temporarily inactive. 
15 

16 2. It provides one or multiple bloda of memory arranged in a m^er that prevents unauthorised analysis of the 

17 contents of such memory unless inrmrted This memory is referred to as secure memory* This may apply even if part 

18 oraUof the naemory contains information that is not seaet 
19 

20 The memory blocks may use any types of memory aorage device, in any mix and COTibinaticHi. There arc preferred 

21 typesof rtternory storage devices to iixeet the requircxiserus of spedftcfuncdoos. 
22 

23 The primary purpose of secure menMjry is to provide part of an apparams that, when combined with a secure nxe thod 

24 of processing information within the secure memory and a means of transferring information between the SPD and 

25 external locations, allows certain secret processes to occur and or certain secret information to be securely stored. 

26 Tbe fxrocessing of information within secure memory may include the use of any mix of secure and unsecure 

27 programs and or data, and any interaction with resources that are external to the SPD. 
28 

29 An SPD usuaUy has OKie or xrmltiple blocks of riiexnoTy storage devices that xm 

30 of memory storage devices arranged to make it not practical for uimnthorised parties to analyse tbe vahxes stored 

31 within part or aU of said inemory storage devices. 
32 

33 The memory storage devices preferably: 
34 

35 (a) include one or nmhiple blocks of Static RAM that are made noi-volatile by ixmnection to a non-dismptable 

36 power source that is preferably a rechargeable battery integrated into the device and or its encioaire, and or a 

37 rechargeable battery extenud to said device, and said Static RAM is used in part or ^itole to store secret Inf ormatian 

38 that sbouldusnaUy be invalidated in tbe enrent of any tantperingwi±s^ 

39 rormecffd directly and or indirectly with one or multiple mcAxods and apparatus to dctea said fH"'i*'j''"g and 

40 invalidaie and or activate invalidation, of part or all of said secret infonnation as a result of said tampenng. The 
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1 invemkm also allows for the ixK:lusion of any method and a^^Tazams to invalidate in part or all s w i n xnfonnanon 

2 stored within said stadc RAM for any other reason. This memory usually stoics: 

3 (i) secret system functions implemenr ed at least in part as software routines; that need to be mtmmiwwi in secrecy 

4 (as fiv as practical) fflid that cannot be stcHedm encrypted foimat in an ext 

5 required. An e x a mple of this may be the master deayption algoritan and or keys. If this was loaded tan an 

6 extonal location it may be analysed and used to break the security of other en^ 

7 ttecryption algorithms may be possible as long as sufficcntfimctio^ 

8 funcdon may in part orix^u^ be ahardware inqdementation of a decrypnon algoridon. 

9 Cu) information that may or may not need to be secret that is required to conectly interface with i^trmUy m mUM ^ 

10 information, this may incJi i d e the loading of other infonnatzon. 

11 Qii) mfonnation that it is determined, for any reason should be witfam the SPD m a mnrimmi Kngif 

12 (iv) mfonnation that is loaded froin extemal resources. This may inchide sM\ti^^} secure system functions loaded 

13 in oKiypted fonnat and subsequently deoypccd and may mciude apjat^aiately encrypted objects supplied by an 

14 authorised party to modify information within the SPD. 
15 

16 The information described in (i), fii). Oii) and Ov) constimtes part of the secure system functions (53 of figure 3) and 

1 7 consists of inf (Hmation that is known to be available within, or ^le to be loaded within, the device v/hm required to 

18 performtheftmctiOTsthatareaniniegralpariof the Sro. System fu^ 

19 pti^cd and scrmiiiised in a secure erivin>aniei« to ensure that they do not ct^ thcsrorcy 

20 mfonnation within the SPD. Those secure system functions that are loaded into the SPD in encrypted fonnat usuaUy 

2 1 have lampexproof validity rhwiring processes integrated nao their strucone to ensure the validity of the inf otmaiiw 

22 prior to assodatiiig it ^th other secure system ftnK:tiQns. That pan of ti^ 

23 fimctions is referenced as secure system memory. 
24 

25 (v)other inf ormation that may be loaded into the banery backed SRAM and may inchKie one or multiple secure user 

26 functions (54 of figure 3). These are usually software objects supplied by various producers diat have a requirexneiu 

27 fer mteractian with the SPD. Hicy usually require s^ypropriate conveisioa of the software objea by an pnyhfirijcf^ 

28 servtepnnrider to orie that iiiav be rfcnniiseri and processed by ygii^iyy T^ftr r^ ay 

29 protected software object or PSO. A PSO is usually encrypted and preferably has appropriate validity r>«rr^g 

30 meriiaii i sm s included to ensure that the inf ormnrion is as supplied by the service provider. Those parts of the PSO 

31 that are to be nansfened to locations widxin die SPD. wfaedier data and or ctanputer msiructions, are referenced as 

32 secure user functi o ns, in jq? p1i c4t tifTns wbm diis infdnnatian is data that is to be processed securely ny jTi g secure 

33 system fu nct i on s, ardrimml and or deliberate tamprrhig widi d^ data usually has no potential unwekxane 

34 consequences within die Sro as the pnx:essiiig is pexfomed by laxywnpro^^ 
35 

36 (b) static RAM (SRAM) that is not battery backed and or dynamic memory may be used for secure system funoians 

37 described in die precedmg (a) part Qv\ and or secure user functions in (a) pan (v), and or any odier infonnation 

35 loaded into die SPD. 
39 
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1 (c) an area of programmable snd or Tqpn>grammable memory that remains non-volatile when all power is lost. This 

2 preferably in d o d e s one or multiple blocks of imrinsicaily non-volatile and Teprogrammable menusy e.g. fia<h 

3 memory and or EEROM, m n hi d tn g any required componentry to support programming, erasure and icprogrammxng 

4 of said flash memory and or EEROM. Panicalar qsplicatioas of this area are the storage of inf niri im iorn that ^ukl 

5 survive an exaaire of SRAM for ai^ reason, indoding arndmtnl erasure. One d the fieamrBs of SFD is its 

6 capability^ with apparopriate software, to sdect random eocTypmon keys and validity check sums, jmH use tt*^- to 

7 encrypt infomaatioaa stored externally, preferably on a mass storage device. This information may need to remain 

8 retrievable if the SRAM cofuents are comipced. By retaining the keys to this information in son-volatile ly -j^r^ cy ns^. a 

9 soiiaUy protected routine xnay be used to retrieve this infoniiatioa by the s 

10 with exieraaMy encrypted information as the decry]E«ion key is inaccessible and may he varied gvery rimp, 
11 

12 (d) uxdndes one or muldple blocks of memovy of mask ROM that is programn^ at the time of fatiHra^^ ^ 

13 memory storage devices and said mask ROM preferably irttludes an area that may be customised to create uni<]ue 

14 infonnation for each device* one method of costomising tte device is with a laser. This is usually used to imtiaUy 

15 p ro g r am data into other storage devices. 
16 

17 The current system functions within an SFD prefcraibly have a version number stored in an externally accessible 

18 location, eg. dual port memory 19 of figure 1 that ms^ be read by PSOs to ensure the SFD has the necessary 

19 resources to meet the reepiiremems of ttePSO, 
20 

21 3. It provides at least one secure microprocessor 20 and a method of rfr^wfing pan or all of the secure memory and 

22 any cxher addressable functions (e.g. timer, realtime clock, decryption/encryption engines, interfaces, etc) into die 

23 address space of die secure microprocessor 20. The microprocessor is designed such that secret infonnauon diat it 

24 r ead s and or writes and or processes, in part or whole, is not exposed to unauthorised analysis. 
25 

26 The secure microprocessor 20 may be continually powered to perform reliable tsaxspcx detection and invalidadoo. 

27 The power source is usually shared with dK battery backed SRAM and where present, the realtime clodc calemiar. 
28 

29 It is prefer^le that the reset line on the secure micniprocessar is asmected to the reset line of the host UCDPS, 

30 mablm g it to perform error checking on internal stored Infuimad on prior to pcrfonmi^ fancdaas required by die 

31 UCDPS. 
32 

33 The secure microprocessor on reset (and or any other appropriate event) and or as part of its normal functions may 

34 perform various hooskeqnng duties while waiting for one or multiple imm r upts generated by the UCDPS^ and or 

35 the reading of one or multiple appropriate values fxom ooc or more polled addresses, that may also be Erectly and or 

36 inditecdy written to by the system microprocessor, and or any other method that activates the micro|9rocessor and or 

37 any one or nmluple other fqTK:tTon<t of the SFD to further im 
3g 

39 4. The SFD predominandy is a secret processor of infonnation and a secure and secret repository of information, that 

40 in part or iK^k is generated (induding by deoypdon) within the SFD. It is an ^'^mm^ai fboocdon that dsere is a 
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1 7Tifan< of transfcnizig infoimatian in and out of the SFD without compromising the sccoiity of infonnanon that nmsi 

2 remain scczeu This entails two basic lequiremcms: 
3 

4 (a) Ihe provision of one or maM^de physical interfaces between SFD and sources of infonnatiaa. The invention 

5 allows for any known interface. This inrhiries information that is transferred via the bus of Ae UCDPS, that is 

6 usual method when the s of t w are <4>jects using the SFD are executing and or being processed by the system 

7 miczoprocessor, and or informatfon eotenng tfaFougfh one or multiple ports that may be read by die secure 

8 rnicroprocesscv and or any other flmcnon within the SFD. 
9 

10 The preferred inte rface s indnde any ports that are part of the secure rmcroprocessor or any other part of the SFD, 

11 dual port memory 19, latches aiKi or registers (unkiirectional aixi or bidixectionalX FIFO smory^ a &cility ftx the 

12 secure microprocessor to have direct access to tte address bus of the UCDPS and move information mda 

13 piugiaiumed contrc^ and or by rtirrct memory access (DMA). 
14 

15 (b) a method for the SFD and UCDFS to de teimine which locatiois have valid infbnnation and a method of acting 

16 on this informatian. The information may be commands and or programs requiring execndon and or ^fata for ar^ 

17 reason and or any other infuimaiion, This is a function of secure system functions and specifically those 

18 rRfg a r ji rfiri as secure systan I/O fimctiom. They ragnirg gimii^r p rocCTSfS to those provided by any opcraiipg system 

19 and are within the expertise of those experienced in the art of writing operating systems. Moreover* as the SFD 

20 inrJndes functions lo load and execute extenally supplied software objects that may securely iisxiify the various 

2 1 secure system functions* mare flexibility is incvided with an SFD than many UCDFSs having pan of their operating 

22 system in memory that is not easily modified. 
23 

24 The prefened embodiments of the inventicm provide a dual part' memory 19 tiiat is arr^ib^r by the secure 

25 miciupiocessor and the system microprocessor. This occiqaes a predetennined part of the address r na p (that may be 

26 prQgratnmable)a$previoosly described witiiTcfexcnce to Figures 1 azKi 3. 
27 

28 The next part of the description may be better understood by Tefgrence m Figgrp A pf fh f> dmwing!? th fl t sh o w?^ 
29 

30 A system port stractnre 199 is es iahllshe ri that may have cm^ qt nniltlple addresses which th' ? gy gr*^ ii iirj np rry Aw ir 

31 writes to» refeienrcd as system command input port 200 and one or multiple addresses »i^ < it reads ftom* refiacnced 

32 as system command output port 201. The SFD reads ctrnm^tf mpoi ports and writes to ^jwrnmnrt output ports. As 

33 these are usually part of a Uock of memory, they may be dynamicaDy reconfigured by 

34 between system microprocessor 1 and se cu re microprocessor 20. This reconfiguring may rfmngp locations and or the 

35 nomber of addresses constituting a pen. It is pRferahie to have a system ii^t data port 202 £or the transfer of 

36 information other than cmmnatids from UCDPS to SID and a system output port 203 for nan-coammand transfers 

37 from SFD to UCDPS, hi the case of dual port nMrnnry a larga block of addrgMgx may fll^nfatPd ^ tinn-mmTWflnrf 

38 iuforuiutioa. and the addresses and sizes may be dynamically configured. The actual allocation of iz^Tut and output 

39 pons is preferably a fiinction of the SFD and is likely to be a dynanuc state, hi a single tngWng r j i ^ ii ^" '""'^ this may 

40 be the only interfiicriig required. The inchision of a DMA channel 125 on tite SFD is the preferred method of moving 
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1 large blocks of information in and wt of the secore mesacty 53, 54 of the SFD. Address and cgotoI lines 220 and 

2 data lines 221 ton the DMA aHStroUer 125 are multiplexed with similar signals from system mic2t^iroccssc3r 230 

3 are tmiltiplexcd in 235 for interface with external memory. Address and oomiDl lines 222 and dflta^ Qines 223 are 

4 madtiplexed (not shown) with similar signals frcmi secure mic^ 

5 secure memory 53 and 54. 
6 

7 The imrention also allows for the SPD to handle the requirements of multiple PSOs in a multitasking env i mnn i^ 

8 and that the system command and data ports as described may be grfRf^<>nf if the UCDPS operating system is 

9 oQodified to send a command to an appropriate location in a command pon lo insouct the SPD of a tacir change and 
10 does not proceed until the commaod is acknowledged. 

11 

12 The prefened method is to use tte system command and data ports for establishing certain parameters within die 

13 SPD when a PSO Sist reqoires access to the SFD. The PSO would usually send information requesting a user 

14 partition 54 of Hgure 3 and a user port structure 205 <^Figure 4. Ihe SPD would usually respcmd with availability 

15 of this memory and dynamically configure a user command input port 206 and or user c^miwanH output pon 207 

16 and or user input data pen 208 and or user data output pon 209. The PSO stares these pon addresses in a suitable 

17 location in its own address space and directs all commaruis and other infonnation to and from these user ports until 

18 otherwise appropriate. A multitasking kernel within secure system functions is preferably respooxsible for such pan 

19 ctmfiguratiOQ as pan of its functions. Additional PSOs create there own user ports, e*g. 210 and 2 15 of Figure 4. The 

20 space used by these ports is reallocated v/hsn a software objea tenninates interacticm with the SPD. Any one or 

21 nmhiple user ports may be dynamically reomQgured as required untile stiU in use with a particular PSO. This 

22 process pemiiis the SPD to be transparent to the UCDPS task handler. 
23 

24 5. Secure System axxl Secure User Partitions: 

25 ff the SPD is to provide any useful processing xji infonnatioQ supplied, it requires a method of transferring 

26 information into secure areas ^i^iere it may be further processed. As described, a poteiuial unsccure process is 

27 introduced into an SPD once the facility is provided to load exterxudly siqiplied information into secure menoory that 

28 in part or whole consists of executable code. PSOs that are to modify the secure system functions are usually 

29 provided by the service provider from software objects in tteir oomrol and the security is good. When a PSO is 

30 produced by a fto dn c er , titere can be no such guarantee of the iiuegrity of the contained program code. The 

3 1 execotioD of this material may read inf(»matian firom secure system functitms and write it to exteirud locations hi a 

32 ixmltiuser system, it notay also coinproauseixifosixuitionrelevam 
33 

34 The preferred medtKXl is to partition the available secure memory into parititions as previously described that 

35 indud es a system partition and one or multiple user partitions. Programs widiin a system partition may access any 

36 secure rnemeoiy address. Programs witiiin a tiser partition are oosifi^ is impiememed 

37 using dual latching of instruction sources as previously described. This protects system mi^ixity and the interior of 

38 one user partitiaa from any other. An alternative is to perform this function with software, by <*h^V<"g that each 

39 instroctioQ executing within a particular user partition is not intended to nudce an tmnmhorised access to system 
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1 memory and or jfl^osex memory. Anotber soiotioa would be to aiKL a separate micEoprocessor to otte <r 

2 nmltqple user imrtinns. 
3 

4 When the secure system kernel switches p r rxTHSing between user functions, it programs logic with the address 

5 bouodaries of ifae cuirent user partidon that is c ompai e d with an instructiooL A separate user pmitjgn is allocated to 

6 each user function. 
7 

8 The invention allows for any method and apparatus that prevents any parrigyigf user function from accessing, in an 

9 nrwi i tharis ftd manner, secure infcnnatkm within system panitions and or other secure user partitiaDs. Ibe method 

10 (toes aUow valid transfers of processing across system and user fiiix:dons. 

11 h is preferable that the size of the partitions may be varied, preferably nnder the conirol of seenre systm fiirwrHmy 
12 

13 6. initial Programming, Reprogramming and Erasure of secret infonnatiosL* 

14 Tbe invention allows for secure system initialisation fist^ons (SSIF) that may use any motaod and ^jpaianis to 

15 initially program secure system functions into secure locaticms widiin the SFD, preferably iiuo battery backed static 

16 RAM. Ibis usually occurs pnor to release of the SPD from a secure envinmnsem. The SSIF are part of the secure 

17 system fiiitcdODS, however, diey include infonnation that it prefieEBUy not made pobliCt however, the invention is not 

18 compioiiiised dundd this occur. Fes' diis reason itaey are suitable for use in mask ROM. Any other secure system 

19 functions may be mrluded into mask ROM, however, this is not the piefcn e d location for any infonnation of a 

20 sensitive nature. It addition to security factors, die "yfajffo^ of the miyority of secure system functifms in 

21 rqsrogrammaUe storage elemwits allows diem to be readily «»prt^tf^, The invention allows diat that the SSIF may 

22 be used later to erase and or modify and or l e piogtam the SPD at a later date. The invention also allows diat part or 

23 all of the functions within the SSIF may be called by other secure functions as part of the normal operation of the 

24 SPD. For example the routines to load iufoimaiion from ^p^m^i in^rf^^^^ and to program infonnation flash 

25 menrary have obvious nmltiple uses. Certain provisions widiin the SSIF aliould only be capable of use wktm it is 

26 known tlmt secure iitforxnation within the device is ixivalid. 
27 

28 The preferred method and apparatus is to store the Secure System initilialisation Fonctioas within (prefoably 

29 secure) storage locations prior to *i>«yg«ifltwn (fiax may be the padcage of an IC aiui or ai^ tther gH^iHftnai 

30 packaging) of die device at the dme of manufa ct ur e. As a mnrnmmi, tte SSIF mftHmanon included within die 

31 device at the time of mami la et im ghmilri hft gnffy^fyft (i> <|ff|d <y p i¥ ^ y n p n other trrfinrmiififyn into tlV* riftvirp frmi 

32 where necessary initiate prorc asin g of said other infiiMmwii^ xhis provides an SPD that may thf^n nxxlify itself as 

33 required. Said other inftHinarion m^ be any infonnadon and m^ inctode fwf ^t^ff ns to die SSIF not ^tv^irfg^ at 

34 manufacture. The storage locatioiB should retain SSIF fimcdons On pan or whole) when (Aher infonnation within 

35 the device is erased for any reason. The SSIF may mghy fr any required suppuii h a rd wai g to p r pg r a i ^* particular 

36 storage devices* eg. diarge pumps and or supply of •pfT'til ventages and or timers and or gi^g windows to erase 

37 EPROM. The SSIF is usually implemented widdn secure memory (diat is preferably mask ROM, however, it may 

38 be any suitable type of storage device) and tisu^ytticfaulesfhtKdons: 
39 

40 to respond to a command to activate one or multiple SSIF funcdons (and or any other necessary commands); and or 
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1 ID resieve extEXsally sajjfl^infonnatioo, that use aoy tnertiod and appa^R^provitled for in a particular SPD 

2 flnfl TO program an dms mfarmmion and or my otfagr infogmarim intoreqiiiied lonarifms; and or 

3 to finish paogiHiummg; and or 

4 to verify that die pnogrammed infonnation is mar free; and or 

5 to tentntiate the process such thm various applicable ft^^ 

6 to direa processing to part of the infonnation that has been progianmcd (and or oiherwise initiate access to this 

7 infarmaiian). 
8 

9 CTtae abihty to load infonnatiffli and subsequently direa processing to this mf onnatioQ is a key aspect of the 

10 invendoQ. Widi the addid<m of a suitable decrypdcn m^iod widstn the SPD, the SFD may load encrypted 

11 infonnadoQ. decrypt dus informatioa and dien direa processing to said decrypted infonnadoa. The addition of 

12 routines to pass infotnoadon back to external locations con^detesihepnx^ 

13 later). 
14 

15 The SSIF and any subsequent secure system funcdons may load information from any rdevant external location to 

16 assist the process and or may caU routines widun external locations to assist the proc^ 
17 

18 Any SSIF fimction that afiowsprograminediidbtnuitioa to be read back 

19 occurs) inay use any inethod and apparatus to prevent a user from acdvatiiig dus fri^^ 

20 being able to access secret information. The preferred o^diod flags a non-volatile programable location once the 

21 readback process is oon^lete in a manner that does nm leave said flag dear m die event of a partial r e a dba c k . The 

22 ptgfmtrimediodtopff'^^t^^^flg^ ^'^'^^ dear in die event nfapartialr fgwfhark is to activate a timer 

23 that times out after a predetermined interval and sets the flag preventing further verification readback by trigggering 

24 a flip fk>p. It Is preferable said flag can only be cleared after secure storage elements have been erased and or 

25 ottowise suitably modified Tins is not a fgnctioa that should be available in misecgreenvir n^ 
26 

27 Disclosure of the informatioQ constituting the actual SSIF is unlikely to jeopardise the security of other seoet 

28 inf cmnation, however, it is preferable thai unaudumsed parties are prevented from initialising and or erasing and or 

29 reprogratnmung die device and any mediod and ai^wratus may be used to inqAement dus. It is prefcr^le that these 

30 processes are passwoni protected (umg any password system) against unauthorised tise. 
31 

32 One mediod of implemendng SSIF would be to serially dodc die required informaticm into the device via latches 

33 (that may require a certnn predetemdned sequence tt> activate the process) . This may not require any predetermined 

34 software routines within die device. 
35 

36 The ^a e f e iied method uses a secure software routine executing from within secure ROM that uses the Tuned 

37 Passw<Hd Access process described below to activate programs diat perform the ftmcdcms previoosiy described for a 

38 SSIF« transferring the relevant externally snppKed (and usually secret) inf armadon to the rdevam internal storage 

39 devices and subseqtiendy initiating processing of dtis information. 
40 
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1 The actual method ^^^ngiHmiiitng infoTiDBtioQ htto tbe stofage dcvtcc^ltli ^j^^i^n^ ^yp^ of stOTBgc device 

2 and may use any known meHuxl. 
3 

4 The tinied password access method makes it gnlflcdv that the password protectiop will be <tefiegted- whiia reimtrmg 

5 fimctionality for those parties with the necessary knowledge; even in the presence of previous tmsoocessfni attempts 

6 at progranmnng and or deliberate attempts to inactivate die device ieg. conputer viruses). Iliis with 

7 p^sword systems that pem ta nendy inactivate the process after a predetermined mnzxber of flw^rnpt ff, possibly 

8 prevendng fordidrprogianmixig of the device by authonsed parties. 
9 

10 The invention allows that a preferably unique password is programmed (usually as part of SSIF) into device. 

11 Without access to this unique passw<Hd the probalBlity of unauthorised activfltion of SSTF « myt ^ pirtical p ntmnw* 
12 

13 In an SPD int^rated within a system microprocessor, particularly one with milHplf micn^iiDcessars within, the 

14 SSIF may reside in memcny locadcHis exdusive to one <tf die m dup CPUs and be transfened where necessary, 

1 5 using any intensal mechanisms (mclndtng software), to any required storage devices; and or 

16 may be loaded into memory locadons ^sared by multiple CFlTs widun die package; 
17 

18 and or may be loaded into nmltiple locations, each locatitm of which is exduave to a particular CPU within die 

19 device. 
20 

21 TheiriventionanowsdmoniyGneCPUor a subset of available load infonnation for odier CFU*s^ and 

22 orthatpardcularGFlTsloadinfonnaticHi for their own use. 
23 

24 The piefqied method of activating the SSIF functiozis when the SFD is widiin the system micniprocessor is to load 

25 the passwod into one or muittple CPU registers and eMicnte a spedaUy created instruction dim that activates SSIF 

26 to read tbe password and cantimie as appropriate. An alternative is to ">cfa^f the fimfiiOTK that detect and process 

27 the post instruction symbol stream as described later. 
28 

29 Tbe tinied password access (also referenced as TPA) may use any niethoda^ 

30 gain ton attempting nwmtbori sed access to any particular password protected evexu. h is based on a passwoni of 

31 such con^dodty that in practice it would take such a long riww to try all die | iw mini> rinf>y it is xx>t practical to 

32 gainacoesstotheprotectedevcnt Said oon^siexity is assisted by incorporati^ 

33 frequency of nttrmptpd ancess. Said delay ms^ be variable for any reasoEn (eg. to allow for i ^itifnoi^* enxHS) and 

34 m^ be created using any method inchiding software loops and or physcal delays. The delay may be a hierachical 

35 system that tnc l ndes cfifEerem delays depending on the mnnber of incorrsct anempts at ftnrss It is preferable that 

36 said delay is t mnffr cif d by powering down of tbe device to prevent rapid power cycling defeating delay mechanisms . 

37 C>i)e method arid ^ipaFttuscanssts of the foQowiiig steps: 

38 a) create one or moxe password keys diat are stared securely. 

39 b)crcateatneanstostoreacoxtmlaiivecouminadevicethaiisvqxDgrammabte 
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1 c) crcafie a means to gppmrr a known time imovaL Tbe inventkm allows for flnfibo c llmems allowing a variable 

2 intervaUttxisisniostreadOyaduevedbyasaft^^ 

3 d) oeate a means to mpat a password, eg create a specific instructim that can pass externally supplied inf (Hmation 

4 to the relevant routines. 

5 e) create a means to izqmfimctkmrBqiuredduxi^ 

6 f) USfT ftCtivatfS d) PT^ ^) i«^*Hmg mmrferring pasawofri and target fimctim to the pfncem;- 

7 g)ctieck the value in oimuladve count in b). 

8 h) if less than certain predetennined value dien go to step j) else proceed. 

9 Dinvcdcec) to generate time delay. 

10 j) increment the vahie in b). 

11 k) confirm step j) has occurred if there is a chance thm external infl 

12 l)t!]patpasswordusiiigd)aiidcoii^sare wiihkey in^.If arnatc^ 

13 m) set flag in extonoaiineniory to indicate failed attenipta^ 

14 n) exit, 10 try again eiuer at f). Ofpredeterminedooinuabovec)retry wiO be iimnediate, otherwise a dday will be 

15 encounteied every time). 

16 o) clear flag in external memory to mdicate success. 

17 p) proceed with called process. 

18 q) return to external memory when finished. 

19 Note: fcr passwoids that protect access to processes that are implemented afier destruction or alteration of erasable 

20 areas, software routines and associated key codes should be stored within memory thai is txH erased. 

21 Hie advatnage of TPA over a Hndted number of attempts diat (hen blocJcs the system, is that it prevents tiie 

22 acctdemal and or deliberate pennanem disahlemenf of part or all of the device. The invention allows for a mix cf 

23 methods. 
24 

25 " ^fr^mmr. StyreitnTB? Qoe cT mcxe processcs duihig mamirwMiMC and or initial programming and or nonnai 

26 npf r^tinn nf rttft iTivg!ntim may tieed to ideptify parameters tmiqiie to a panicnlar PCPU and or ESPO and or imiquc 

27 to a particular group of PCFUs and or ESFDs (for any reason, inrJuding to example; lefarnriTig a secure d atabase 

28 to a password to activate the uiitialisation pio gram described above). Ihis may be dcme fay any method 

29 known to die art tn ^frf^g physical mnriffngy aa the outside of the CPU package* however, the irrventton allows for 

30 cme or inultiple aerial numbers aiMl or at^odierklentifyiitgsyn^ 

31 yrm^ of mannfiactDre. These are amenable to retrieval under program control ami or any other faan of Hnrnmntic 

32 process ushig any method and f^jparams. This pravides an aiTtommic mediod of uniquely identifying a particola r 

33 device and or group of devices. This is l e feren oe d as an electronic signature and is usuaUy jnctaded as pert of the 

34 SSIF. Said one or multiple electronic signatures may be transferred to an external location using any method and 
3 5 apparatus and used by an authorised party as an iixiex to secure information stored within that particular device (and 

36 or for any other reascm). The preferred mediod wha the device is a PCPU is to create a spedfic instruction that 

37 v^ien f rmtr^y^ stores said serial nnmber from a non-volatile storage location within SSIF to a predetennined CPU 

38 register. This process is usually accessible to anyooe, aldtough it may be protected by passwoErds and or any other 

39 Tn n><nH , Far ESFDs te serial msnber is usually read from an addressable location witfani the ESFD by the system 

40 CPU. In the case of the ESFD described with refierence to figure one, the secure system tntrrfmr fuoctioos 
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1 iBOgtaxnmed into fias^^moy 708 would mchirift the dectranic signam^^ «^xen tbe miaqaroocsor 707 is fitst 

2 sctivated by an imenupt on 731 after p ri^ ammin g of said secure system initialisation fimctions, a rontxiie would 

3 transfer the electrcmic signatnre to a predetemuned location in the dual port memory 704, wbetc it is accessible to 

4 the system xnicro{vocessor» 
5 

6 The invention allows that a secure system user password functiosi may be iiKluded within one or multiple PCPUs 

7 andoroneorisultii^ESFDsandthisniay beiequizedtoactivatepmandoraUoft^ 

8 system CPU it may also be required to enable die nocmal processing ftmctions of the device* providing a secure 

9 method of stopping unauthorised use of the UCDPS comaii ii n g said system CPU. Any method and apparatus may 

10 be used to imirirmfni this fnnrtinn Tlie usual piesc a Kr . of p m gmm it hle memory and programable non-volatile 

11 storage elements provide for a plurality of methods. The inventian allows for a multi-iiered password system. The 

12 preferred embodiment is a time based password system (as rilHcnssrd elsen^iere) that resides in secure system 

13 memory and activates routines that reverse various lodes placed on pan or all cf the device. 
14 

15 The password fimctions usually include routines to dis^le part or aO of die device in response to a specific 

16 commanri. a method that requires the user to specifically disable tbe SFD, and preferably requires entry of the ooirea 

17 password; and or functions (usually implemented in hardware) that dis^le pan or all of the device in response to 

18 reset and or power down and or any other criteria mchidmg nuTomaric timeout (preferably prpgramableX the 

19 password processing system is not usually disabled; diese functions automatically disable the SPD and or other 

20 a^^cable devices arid require the correapasswcHd to reactivate die SFDaruio^ ^: 
21 

22 Tbe passwonKs) is usually stored in secure non-volatile system memory. The device may be shipped to die user with 

23 a known default password and or the password system disabled. Enoy to tbe password system may use any method. 

24 Indiecaseof aPCFUtfaistnaytricludeuseof aqxedalirismicdCQandorasui 

25 (PISS). In the case of a ESFD it may involve passing ^^junitwiwig using one or multiple methods as described 

26 elsewhere in this i^licaiioti. usually by writing and or reading prede t eui iii ied address locaticms. A user accessing 

27 the device with the conect password may be able to change pa ssw or d s. 
28 

29 The password system is usually constructed to allow tbe service provider id rdnitiate or disable said password 

30 system by snpplymg an appropiia te software <rt>ject,prefertf^ 
31 

32 The inchisioo of at lean one unique and secure code within eacfa device together widi other suitable support 

33 resources allows a phirality of methods of secure infiannatian transfens to be established between an infonnatioa 

34 prcyvider with access to the secure contents of the device, and or provides for the secure transfer of infonnaticm in tiie 

35 leveise i,liift<'JiOD, and of ptrmits infonnatioa to be specifically coaypted for a particular secure system. These ate 

36 l e f ene uc e d as system local code functions and they assist tbe tn^ementation of multiple secure applications, 

37 including the secure transfer of infftrmatkm to a device that can verify the source and or validity of the infofmatum, 

38 and or tbe secure siq;^y of infoniiatian£rom a particular device that die can 

39 infonnation receiver (with access to the secure infomiaticm widun tbe cniginating secure system CPU); this may be 

40 used for any reason indndir!^ secure commiinicaiions and or die secure transfer of electronic funds. 
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1 

2 Tbe izsdusicm of (me or nmltiple system group ooc^ 

3 (e^« those destined for the same couitry) may be used for any reason. Tliis may inchide the resirictian of certain 

4 PSQs to particular groiq) codes. One or multiple group codes may be corninon to an SPD 

5 part or all of group codes may be user programmable and or passwf^ protected. Hus m^ allow, fior example, 

6 parents to restrict childreos access to particular PSOs. 
7 

8 The secure local and or group codes may be data and (K actual ounputer instructions. 
9 

10 The effectiveness of the software distribution system forming part of this applicatiop is partiy dependent on a service 

11 pRSvider having access to secure informatian within each SFD and that scHne of this ttifonnatkm is common to 

12 nmitiple SFDs enabling creation of PSOs ttiat have general applicadoo, and diat some infonnation is spedflc to a 

13 pardcularSFD. 
14 

15 The inclusion of secure system command fimcdons to detea instmcdoos (that may be implied instructions) amongst 

1 6 information supplied to the SFD (using any method and apparatus) and ot generated by a secure user function and <r 

17 generated by secure system finumcHis requesting the SFD to perfonn certain taste 

18 incJttde: 

19 commence execution of iruemal programs finran any source; and or 

20 pass data received from external sources to internal functions; and cer 

21 recdve a request from iruernalfiiiictitm to oansfiffpnxxssing back to ^ 

22 accept data from intemal functions for tranfer to a locatim readable by die system CPU; and or 

23 provide a ^^"nrmmnd strucuffe within the STO to co-ordinate other system functions and. vA\m s^ipropriate, interact 

24 with secure user functions; and or 

25 vAseax applicable, co-ordinate interaction with realtime decrypticm processes; and or 

26 any other required function. 
27 

28 The inveiuum allows for any metisod that pennits an SPD to monitcff a PSO as it is executed in order to detect 

29 various spedally constructed process nansfer insmictions and ch- other suitable markers that intficate that interaction 

30 witii the SFD is reqatred. This particularly applies to a PCFU, where the method usually involves the transfer cf 

31 processing from extenial unsecure memory to internal secure locations fat oontiimed p r o c essin g by tl^ system 

32 microprocessor using secure methods and or by other embedded mxcroprocessors (that may include other system 

33 microprocessors, arid or die activaticn of leahixne decryption tise eat^rypied infonnation in external location. 
34 

35 The process transfer xnstmctitm may inherentiy direa external programs to the appropriate internal functioa or may 

36 require a pc^ instruction symbol stream as described with reference to the preferred cmb nri immt . 
37 

38 Secure system coinmaiul functions also include ariyfimctiom to cransteprocessir^ 
39 
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1 Tbe seem systesi functicn shmild be sffucmxcd so that cxury system fuDCtions is m a regulated 

2 ixianner. Tlus is xeadily achieved ficr an fiSFDvto^ 

3 locations that may have various validity checifins perfonned on the data. The process is more ccssspkx for a PCFU 

4 axui described in more detail with refereiice to a PCPU. 
5 

6 An important function of secure system c omnia i i d fonctions is to direa the decryptiaa of inrwning cnoypted 

7 infonnation, direa die transfer of the decrypted infonnatian to a suitable location and ^i^tere this decrypted 

8 information consists of compnta instructicns, direa pyrmrion to the lelevani starting point in die decrypted program 

9 and latavitie any necessary support functions as said compnter program is executed. When the iirnming encrypted 

10 infonnatian is data this should be processed as r eq uir ed^ wtaxHi may include apprapriateiy linking it with any 

1 1 internal and or external programs and or data and or special p u rpo se funcdons (eg. the data may be used to 

12 configure programable logic, creating i^ own decrypdosa engine) including a linked coaster progr am also 

13 transferred in encrypted fonnaL The command functions also tfirea the xetum of ^cctition and or Ham xq external 

14 locations as required. 
15 

16 7. The iinretuiop also aUowsdiat one eg multiple hardware devices widim 

17 or whole from pro gr amn ufcle logic devices. This panicalariy applies to encryptionAtecryptioo engines that may be 

18 dynamically engineered as required. The pref erred typt of progrBmmable logic is diat known to the art (refer to 

19 prograimnable gate arrays by Xylinix) using battery backed static mmory to create the interconnecdons between 

20 various togic gates* as this ntay be rapidly erased if required. The infcamation to transfer this infonnatim to the 

21 programmable logic elements is preferably via one or multiple addressable locations, and is preferably parallel data. 

22 Part or aU of such devices inay need prograinming prior to leavirtg a secure location. 
23 

24 8. S e cu re Decryption, Se cure Processing* Secure Decrypdon and ftorcssing. Secure ftocrssing of Infonnadon 

25 Unique to the SPD. The system functions should provide suitable software routines such that, when requested by 

26 appiupiiate commands, they perfonn a combination of functions that aScci any combinadon of the following: 

27 • for the secure transfer of at least a portion of encrypted infonnation constituiiiig part or ail of a software object 

28 from a location external to said physical device, to a location internal to said physical device. ^K^xerein said 

29 physical device securely decrypts part or all of said encrypted mformatifm within said pfay^cal device in 

30 conjunction and or su b sequent to said transfer and 

31 • may initiate and securely jrocess pan or all of the ensuing decrypted infonnation in oonjuncticm and or 

32 subsequent to the decryption process and 

33 • noay m te r a a in any way widi any oher internal and or external mfonnation to oonectty said fvocess and may 

34 terminate said process as required and 

35 • said terminate may transfer data and or execution to any other intemal and or external location, induriing the 

36 ffxtfmal software objea and 

37 • the prnrrrimg |gocesses occur inaniatmertfaatrrnrtirrtiscsordtminatcsarialysisof pm or aU of the decrypted 

38 . instructioiis and or data; and or 
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1 • that indodes CQOD^mternsmictions and or data securely pro g r amm ed witbin said physical device and a facility 

2 for an caoemal software objea to iransfier processing to said ccmpnicr insouctiaDs and ac data securely 

3 programmed wittain said physical device; and the capability of processing pan or all said securely progrannned 

4 witbin in a secure manner, interaaing in any way with any other internal and or exteanal infcnnatxon to 

5 cGomly said process and 

6 • may tezminatB said fSDoess as required and 

7 • said tenninate may transfer data and or execution to any other internal and or external location, including the 

8 external software object and 

9 • the preceding processes occur in a rnnn^^ that minimises or eliminates analy^ of secret iii ffumi qyinfn; zod or 

10 • with tiie capability of being suitably requested by an external sctftware objea to provide infonnation securely 

11 storedwithin. 
12 

13 The secure system deoTpdOQ/tenciyptioa functions (together with the ttecessary cortmumd functions to load 

14 cxKrypted infonnation and or to execute, and or otherwise manipulate, the infonnation decoded tan this encxypied 

15 information, possibly in conjunction with dear code and or other decoded information) may eliminmft the 

16 requiremem to preload specific secure user fimcticHisittto the device pn<H' to 

17 each PSOitiaytndttde the secure iiser function as eiicryptediiifonxiatim 

18 resulting in a device diat can secmely process part or all of a diver^ty of software objects* As suitable system 

19 rmwrn fl nri functioos may be constructed to dynamicaHy load blocks of encrypted mfosmadon m and out d secure 

20 user (and or system) memory, much larger portions of encrypted information may be utilised as part <£ a software 

21 object than is the case with dfvifTS 6rpm^t m ^mrrr jn fnrx*^*"?" |ug ^w'r n ii ;tin i n p.rt mtn a limited amnnnt of sccme 

22 user (and or system) memory. 
23 

24 In flriditiftn to decrypting and executing the equivalent of secure executable user functions, the invention also allows 

25 that the device may securely add to and or edit secure system functions using a similar process. 
26 

27 The invention also allows for pan of the secure system functions to be loaded (usually in encrypted format) into the 

28 device ftom external storage each tinie a UG3PS is booted (and or on any oito 
29 

30 Tbe securi^ of die secure system routines and in particular secure system decryption routines stored within the SFD 

31 n p^wy?^ tn wwrititftmtng the Momty flf | Mti cgftg es nsing Ac device. The infonnation wilfatn secure system f unctions 

32 noust be protected to a levd that makes it not practical to defeat and while any stor^ 

33 tte secure system functions within the device, the pief e it e d method uses battery backed static memory. This can be 

34 rapidly erased in the event of tamperin g, and sudi arequireniett particularly applies to any system functi on s that are 

35 stored in decoded fonnaL 
36 

37 The transfer of information firam one w^ifwn to flfK r thff may result in transmissioa errors and the invention allows 

38 for secure system error detection functions that may use any known method and apparatus to detea and or concct 

39 theseetrors. 
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1 

2 As the osoal locatKBi cf tbe SFD is within the UCDPS, infonnation that is co be transfemed to the SFD may be 

3 accessible and dclibcmcly modtficd, e^. computer viruses and or attempts to reverse #^gtTWT the SFD, The 

4 ittygptina allows far score sygtem validity tAerAmg fawrtioft^g that may rtfrT- ^^^^TTN^ fl"^ ffpparatttS tn v^ajfy thgt 

5 die itifonnatioa siqaplied to die SH) is as »iwi>fwVH (jy tbe tsf ormatiaa provider, azid or take any required actiosxs that 

6 may mrlndft directly or indirecdy (usually via secure system enor mamtoring routines) rfig«himg part or all of the 

7 SFD. Where applicable, this tnayinchidedM erasure and or alteratkm of secure 
8 

9 The use of cydic redundancy rhr r Hn g (or CRQ <tf hitamadon genenued by a senrice provider and ^h^^ 

10 within fl PSQ and then enarypted is one mnhnri of pmvirfifig spnm vaii/tiry Ahprlrrng fjimcrifYng Th^ nfy^y^^i gf j^in 

1 1 process in the SFD may use any combination of hardware and s oftwa re ^pftfKM^y The process is well known to the 

12 art. 
13 

14 9. Secure system decryptioa/Bncryption functions: The decryption functions may in part or whole be implemented in 

15 software to decrypt externally suj^lied and encrypted infonnation using any known methods, tnf^^^diT^g the data 

16 encryptian stazidanL Que or multiple hardware based encryptianAlccTyptxan ^igir^fg may perform die decryption, in 

17 part or ^^le. Such an engine is one compatible with the Data Enciypiion Standard (DES). Tbe method of nmg 

18 predetomined processes located widiin the SFD to decrypt (and eusypt) infamaoion is retoenced as the Standard 

19 Decryption I^ocess in this ^yplication* Standard Decryption Processes may require the supply of various codes to 

20 functioi correctly. The original cryptography processes were developed for die secure mtTinuinication of information 

21 between parties and they work well lit^ien this is the primary motiv& When the purpose of encryption is to enable 

22 one party, in diis case the producer, to encrypt infonnation to protea it against immuhorisrd use, and tfc^ second 

23 party is a user wbo may prefer that the infoimaticm was not encrypted, then the <niginal basis for secure 

24 cTypogr^hy changes, and dse premise for secnri^ is based on die fact that said second party will receive 

25 infonnation, however it will be difOcult for them to acxsss it in code. This has resulted in various spedalised 

26 devices to decrypt information As described this method does not provide a system that is ^t practical* to dpfrat 

27 llieOscarinedKxiofsecredy decrypting aiidexecutiiig infoniiation provides a ineth^ lo defeat. 
28 

29 The capabHity of sn^^lying an SFD with a PSO that can be made to perform any desired fixnction within an SFD 

30 that is c onsist e nt with avaiteble resources and constraints of said SFD, allows said SPP to be dynamically modified 

31 to perfnrm any famrinn ag rerpiirf^ ^ This permits " PSO ffWl Or any O th^r tntgm^! <mri nr #>yt#mfl1 ^tnrrifm tn flgttmny 

32 request one or muhzpie decryption functions to be loaded into the SFD. Said decrypticHi functions may include 

33 infonnation that is used to dynamically manufacture a h a r dwar e decryption f^gity from programmable logic within 

34 said SFD. 
35 

36 Ute capability of significantly varying the decryption process* and or oonstrocting h a r d w ar e cipber 

ffn ginft^ from 

37 volatile electrical connections that cease to exist ^i^ien subjected to analysis, and or dynamically engineering cipher 

38 engines to suit a FSO makes cfaaracterisation of die decryption process very dtfRcult. The known art does not 

39 describe such a mmhod and ap|wiHiiis, which this inventi on references as Dynaztiic Decryption in this appUcatian. 
40 
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1 By mHfifting one or multiple dcoypdon processes within an acmai PSO, the decryptiGQ process can become self 

2 xnodxfymg with the instmcdcDS of tbe acmal PSO varying decrypdoo parameters and or deciypdoa algoritfams and 

3 or installing, in pert or whole, one or muhipie new decryinion algorithms during ifae process <rf n fr r mrng the PSO 

4 that are fonfaer used to decrypt additional parts cf tbe PSO. This no^ occur on mnMple occa sion s, in any 

5 iM M n H i ii a tiri^ during execution of the program. The key to this process is lo inchide with the PSO a sab-rcmtine that 

6 can be xtcognised and rrfcutH by functions withhi the SPD, and said sub-roodne mitiates the process of unlorlfing 

7 the subsequent encrypced material. Said sub-routine is encr y p t ed using a process that is known to be revemble by 

8 functions within ihe SPD. The known art ctoes not describe such a method and apparatus, wbidh this invention 

9 i gf p i T'^r^ as Recuxsive Decryption in this application. 
10 

11 Tbe decrypdon processes described axe <m the basis of encryptiaa of hif<^^ 

12 the secure information within multiple SPDs and the decryption of infoimatifRi in tbe target SPDs. PSOs may be 

13 encrypted foraspecific SPD and or multiple SPDs. 
14 

15 The decryption processes described also may apply to the enciyption of infomiation firam an SPD to a service 

16 provider. The user has no knowledge of the encryption process and usually little knowledge of tbe dear code bdng 

17 encrypted. The process can be niade even more secure by the service provider se 

18 iHocess to the Sro. This process wiU have iimltipleiqjpiicatiOTsaiK^ 
19 

20 Standard DecrypticKi and or Dynamic Decryption and or Recursive Decryption and or Realtime Decryption, and or 

21 tise Coco method may be used m any PSO m any combination determiised by the service provider. The service 

22 provider may always supply the required inf onnatim to ensure aiy chosen encryption process Toay be reversed in 

23 one or multiple tragei SPDs. The invention allows for any known method of encryption and or decryption to be used 

24 with any part or all of the invention. 
25 

26 The encryptiooAiecrypticm methods described pertain to comrtnmications between service provider and user. They 

27 arc also iqjplicable to the secure stmige of infonnatim witiun a UCDPS. mchiding tiie encryption and storage cf 

28 various vahies in the UCI^PSxxieKziory that are iiuetxnediate and or fhial 
29 

30 The decryption and or encryption processes described for die invention may interact in any way witit external 

31 processes and tbe interaction may assist with said decryption and or said encryption. 
32 

33 The pirfm ed security provided by an SPD is its function of decrypting and ex eai ting encrypted programs in secret 

34 or decrypting and processing encrypted data in aeoet. 
35 

36 TTie invention also alkms for the decryption of informaticQ that is iiotsecurdypr^^ 
37 

38 The invention allows that the SPD may be programmed witii one or multipie secure user ftmctions and any method 

39 arid apparatus may be used to select the cunem secure user fimctiozL The system functions that perform this role arc 
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1 irfrjriK yd as sysu^^L switchipg fimerions and feey aHow that f^SHft ^^hft cn-mnAmt anrf nr frnilrinwW^ g 

2 said multitasking may occur alongside ^logi ai m thai do noi require the use of the invenrion. 
3 

4 Ibe use of battery backed storage elemcots (and or other coottooous fhnrrions, e.g. security mrtutrnr^^ CPU) 

5 requiTB a caniinn<m supply of power to the device in the absence of system power. The inventian allows for ai^ 

6 TfffT*^ and aparatus go achieve this i&duding the integration of a battery into the device atm* or an fTTm^^ battery 

7 together with suitably momtciing and switching dxcuitry. An A/D converter may be indude to deiea changes to 

8 battery voltage for any reasoiL These are referenced as secure system power management fmwtiftng 
9 

10 The inventioEn as described permits: 

11 1) the sectne transfer of encrypted infoimatian firom an external source Qndudtog menniry) using any tnpthorft to one 

12 or multiple secure locations within a system CPU azttlOTESFD, arid th^ 

13 2) the use of any suitable oood^natiozi of mi aocode and or hardware and or secure internal software routines and or 

14 data (that may be augmented by any other software routines and or data in any location) securely decodes this 

15 encrypted infmnation and or stcses the decoded (and or remaining encrypted) information In a secure location 

16 (usually internal to the device, however it may inchide encrypted infonnaticHi stored in suitable external locations), 

17 and then (and or during) 

18 3) tbt pnxxtssmg of sufiScient informatioa finom the cncxypted and or decrypted xnfcHmation (aiid or any other 

19 Tfrtrmal and or external infonnatian that is accessible» directly and or indirecdy) to enable the secure and secret use 

20 of sufficient secret infonnation that it is not practical to gain any useful benefit from any t ii r i uni ^tfun that }$ in clear 

21 code and said dear code may be information that was never encrypted and or information thai was encrypted and 

22 subsequently stored in unsecured locaticats, and 

23 if the only reversible fimcrional limitarlon applied to a scrftwae bfajea isthatwhichneeds toberevenedby adevice 

24 as described for a secret prorcgring devioet permits the original software objea to be used as intended, and may do 

25 this without revealing part or all of the native object code oonstiniting the software object, corufitxonal upon the 

26 appropriate information being induried within the SFD, 
27 

28 10. Automatic Reporting Fodlity. 

29 A nuQor a(iplicadon of the SFD as it iq^es to die secure discributiOQ of software objects suitable for tise on a 

30 UCDPS is to supply software objects that have been modified such that ifaey must interact with die SFD on a 

31 frequem enough basis, that the SPD may use this ixtteracuon to record the usage of s oftwa re objects, in a manner 

32 that ditecdy and or indirBCfly equates to a monetary value. These modifieri software objects are one ^pe of PSO as 

33 described in this qsplication and to distinguish diem fiom other types of PSO diey are subdassified as Conunerdal 

34 Protected Software Objects or CFSO. A CPSO has scHne l e quii eiiie nt to the exchange, dixecdy or indirecdy, of 

35 money for the use of the CPSO. The usage of CTSOs may be Hmf> and or events based and or any other method. The 

36 pre fe r r ed methods allow unlimited use of these CPSOs as long as certain criteria are conqtod with. 
37 

38 As the SPD preferably does not require its host UCDPS to be attached to any remote device that may exert some 

39 form <tf control on the use of CPSOs and as in many instances CPSOs have no inninsic limitation on their lifespatts 

37 
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1 and are readily availaUe^Rltle or no cost, a method is required to limit ttie^^of CPSOs such that payment is 

2 made. 

3 

4 Ibe invention aDows for tbe.ose of CPSOs with an SPD to be ccsuroUed using any known method and q^[miams 

5 and ifais is usually on the basis of one or multqde predefined limits decmmicaUy uauafaxed to the SPD that are 

6 suit^y adjusted as CPSOs are used. When the predefined limits are exceed (and or in any other wiy reached) the 

7 SPD iseferabty stops processing the CPSOs . The invention allows that said predefined limits may be granted on any 

8 basis; the |i ef er re d method is to require prepayment far units. The tnvemfam does allow that there are no predefined 

9 limits on tt^ use of CPSOs, however, this would usually only apply to nugor account customers and even they may 

10 prefer to have liiiuts placed <mwhmxi)dividualcnq>loyees may spen^ 

11 CPSOs. 
12 

13 Tlieprefdred method (tfconm>lling usage of CPSOs that penntto^ 

14 SPD will record this use on any measureable units of use basis, is to prevcot the SPD processing these CPSOs 

15 thfrr « yyffi«gnt riftmrmic onedk witfiin thg SPD and nr nncegglble tn the SPD. TWk riectmnic credit may he 

16 stored in any f omi. The pi e f a i e d method stores one or multiple values in the SFP . 
17 

18 1 1 . An SFD may disable itself in part or whole iitoi any t e quii emenis that are attached to the use of PSOs are not 

19 met. This indudcs vidten PSOs have been detennined as being tampered with and it is detennined that an 

20 imamhcnised party is attempting to use software methods to coni[gnmis e the SFD and or that there is physical 

21 ^ ^ i »4 ig^ Mi >g with the SPD and or that various requirements for trensfening informatiOQ accumulated by d» SPD 

22 directly and or indirectly have not been met and or that various electnxiic credits have been used and or that various 

23 keys required to activate one or multiple PSOs have not been supplied and or are inconea and or any other reascm. 
24 

25 12. An SPD that is disabled in pan whole itiay be re-exiabled in part OT^xto 

26 of ani^spropriately configured aiui validated software object, 
27 

28 13. Processing of Protected Software Objects by SPD: Using any suitable software routines diat may be resi d ent in 

29 the SPD and or require loading from any cxtonal sources and that may require assistance frwn any other SFP and or 

30 P50 and or external resources, the SFD responds to any suitable command generated by a software object 

31 requesting access to any cme or multq»le fixncdoos widun the SFD by deierminmg« at any appropriate stage, that a 

32 software object that has requested access to resooroes witfam the SPD is a sttftware object that has been specially 

33 prepared to woclc in conjtinction with the SFD and diat it has not been tampered with. Sudi a software oibjea said 

34 spedaDyprcparedtsrefenedtoasaPSO. A PSO is preferably encrypted, in part or wh^ 

3 S r*n>!T*^^ ennyptiisi processes. A PSO preferably tndsdes emhrdried error and or validity checking Inf ormaiioa and 

36 this nay use any one or mnlti|te known methods. Ihe process of ensuring that a sc^ware objea is a valid PSO 

37 pcefierBbly mdudes one or muhiple error and validity diecking processes and the deoypdon and or execu tio n of 

38 pans ofthe software object within the SFD. 
39 
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1 Uttm objea is notfl^naible, tbe SFD may take any course of acskm ^f^dli^ rfign^img part or all of tbe SFD, 

2 repcHixag an error to the user using any method, denying access with no teposu and or any other action. An object 

3 may not be ancrprabic for any reason inclading thai the objea was not created to use with an SFD or that changes 

4 within the software objea have occ mi e d . If the SFD receives a predetennined number and or ^pes of ecrors it may 

5 decide tiiai these etrors are not legitxmaie and take any course of action to protea the security of the device. This may 

6 in c lu d e gxaming no further access and or mvalidation of part or all of the secure infminfiiinn within d» SFD. The 

7 conditions that determine this ccwrse of actioa may be dynamically modified by the sixpfiy of an app n opi iate PSO. 
8 

9 it is determined that the sofbrare <Ajea is a valid strficware objea £ar tise with ihe SFD, examination of any 

10 rdevam part of the softwae objea determines \(1iat action is required of the software object Said actioQ may 

1 1 include peifuuuiug further validity rherifing and or deaypdcn and or at^ other actions as the PSO is processed in 

12 omjuncticBi with the SFD. Ptoteded sctftware objects preferably inchide mfonnation that identifies tbe Qrpe cf 

13 xnfotmaticm that is included within the object, resmtroes required of the SFD, informaticm to assist validity and error 

14 checking of the information, infonnatxon to assist decryption <tf encrypted infonnation and any other relevant 

15 infonnatioa. Said any other relevant informatian may be anything consistent widi the resources of the SFD because 

16 one feature of the SFD is its a^ability of being securely updated to pexfomi any software funcdon consistem with 

17 theresoaioesof theSFD.Thisupdaizxigmay bedynainically pea[f<Hi^ 

18 PSOs prior to sui^slying the PSO that win use the dynamicaily modified fnnctims. Said PSO that will use die 

19 dynamically mnriifipd functjonx may itself inchide tn pan or whnie th« irrfhmtftrinn in gairi rtyrewn r^ny mrvfify 
20 

21 The following are the types of PSOs diat an SFD suitable for use in the protecdon and distributiGn of software 

22 objects preferably includes, however, functions far one type c£ PSO may be combined in part or whole with any 

23 other one or multiple PSO fttiictiims to oeate one or tnuldptecnixedfuiic^ 
24 

25 a) Secure System Update PSO: these may modify the secure system functions of the SFD using ai^ method 

26 innh i ding data and or program inscrucdons that are to be loaded to specific locations within secure system memory 

27 and or they may be programs and or data that is to be executed to perform one or multiple functions axKl or any other 

28 method. This type <^ PSO is preferably heavily encrypted with txmlt^le diecksums. When validated, retiuired action 

29 is performed by tbe SFD. 
30 

31 b) Bectnsiic Credit PSO: this adds vaUtes to one or multiple iKm*volatile storage locations within the SFD. Said 

32 locati(His are preferably clear (and cr any other predetBxmhied values) when the SFD ^ 

33 time. Said non-voladksuvage is preferably flash memory, described prm values preferably equate to a 

34 number o£ units d avaiM>le credit for use with various CPSOs and or any other reason. The use of it^sc values may 

35 be for prepaid credits and these are stored in a location that is preferably itecxcmented as available credit is used and 

36 or they may be for crediis that are rnqmid and are efitettvely a credit limit agahist use. Any method may be used to 

37 distinguish prepaid credits frostx unpaid credit. 
38 

39 c) Report Verification PSO: diis verifies that a particular report generated previously by the SFD has been received 

40 by die SFD. It is preferably specific to a particular SFD in that unique informatian within the SFD is required to 
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1 cGfxccdy validate and hi^Rf pofDoa the requited functioiis. It siay pofonn^l^xie or moltipie fa n cti nn s, directly 

2 and or indstecdy widun tbe SFD. It usually resets any resorioions widiin die SFD diat are awaiting receii» of the 

3 lepcn venficadon FSO and may do ttiis in any way. It also usually programs the relevant l ocan on s with a new 

4 fy pnrt ii i g wi tfT vyi «(nA rcr n^nHififtg m any way my part or all of the report generating and ve rtfic a tinn system. 
5 

6 d)CPO as previously described. 
7 

g Pmpararirm of a Protected Sofi^^ 

9 It is one object of die present inventioa to provide a method and iqipaiatus far distributing a soflwaie objea from a 

10 prodw*^ tr» pntpnrifl! nsam mch that ft imr may make as many legal and OT illegal copies Of the software ob^ccts and 

11 distribute as wictely as diey wish* however, any user executing the software objea nmst naminerate the 

12 producer atid or service provider of the software ob}ec^ 

13 adtiieve this is to convert the original software objea to a version that is modified lo a PSO dsat is usually still 

14 capable of potendaUy rumiing<mixiaixy UCDPSs, however, those must be equipped with a Protected CFU« 

15 and for any particular PCPU that the PSO is tt> operate in oaqunction with 

16 todiePSO.Tlusixiay or may xsot require interventioii by the user, in foUowiiigdescripnon a reference to PCPU also 

17 ipidies to ESPDs. The preferred method allows the user unlimited use of PSQs condngcnt on them having su ffic ien t 

18 electronic credit widiin and or securely accessible by the PCPU Hie convetsifm from a software d)jea to a PSO 

19 preferably occurs in a secure location. 
20 

21 nhject Snpprtft Trrformariflfti! 
22 

23 One step in the crpatiop of a PSO is to take a software objea frcm the pnxiuccr rBfoenccd as the primary software 

24 objea and create Objea Support Loformatkm (or OSI) that provides certain infarmation to assist the execution of tbe 

25 PSO. The actual oeatian of the OSI is usually a co-operative process between the producer and service provida-, 

26 however, any operadcns that require the use of inf onnadon within the secure system memory of a PCPU would 

27 usuaUyberestrictedtotheserviceprovider.TheOSIisusttaUy placed near the Stan of die pro 

28 be located anywhere throughout the p t ogiam as long as it is arranged ma sequence acceptable to the PCPU that will 

29 process it, and or die PSO includes various iufuima tion that may permancndy and or temporarily modify the PCPU 

30 such that it can locate and use tbe OSL To protea the informatkm in OSI from tamperingt part or all may be 

31 encrypted, and or may have various ctoock sums that are preferably secure and or encrypted themselves. The OSI 

32 may be provided in pan or whole as a separate program(s) and or as part of one or mcae other programs and or may 

33 abeacfy be present in the PCPU and or any odier method. If die OSI is widun separate modules and contmns 

34 Inf onnation that the producer does not want deleted, there should be a suitably secure cross lefcrcnce in the main 

35 pan of the PSO to dieck for the presence of independem modules and valid data within. The ptef c ii ed cmb o rt immt 

36 inr^xi fffy all mfotmadon within the body of dK primary software objea one or nmltiple module s of the primary 

37 software object. Tbe acaialmeflKxl to encrypt and decrypt iiiformaiicmm^ 

38 of levels and any combittadoa of methods. Tbe OSI is a descripdon of certain functions that may be required, and 

39 diey may be U^ip*"™^^*^ txsing any known method and structure. The alnlity to program the secure fi m cri ons within 
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1 tbe target PC3*U 



any new structure to be cre a t e d by suppl 




tie PSO compailMft with existing 



2 structures. 
3 

4 T hy> fhiiflwing is fl non^ ciusive list of componenB that mav be found in QSI: 
5 

6 i >c tM< 0" of P^ sr^g^ "f ^ PcmJ* thi& ifi usually r yffmrrri im mfrtimel v after the start of PSO ex ec mion . Should a 

7 PSO atteoqit to mrv vt^ in an oiviraiiment without a PCFU one or multqde adverse ootoomes vaay result, for 

8 exanq»le the hard drive may be modified. 

9 The ptefen e d embodimcnis of a PCPU allow access lo ihe secure memory by tiie execu t i on of various special 

10 instructions. As these instructions do not exist in a nomial CPU, their execution in this enviranmeni may cause 

11 prrtilcms. The prcfcned method <rf ensuiing that PSOs are csHy used in a UCDPS thai has an eppcupnaXQ PCPU 

12 are:- 
13 

14 Common instruction trigger: a sequence of instructions that are common to a PCPU and the CPU diat it retraces are 

15 fxm^T^ such that a rt^m *^ combination triggers various events in the secure parts of ihc PCPU. The following 

16 rT^^TTip!#> shows one alternative:- 

17 protected software loaded izitomeaiory 

18 execution camtnences at a particular location that executes taee no opcraiiai (NOP) instructioos in s eq ugaic e, 

19 foHowfd fry n b p"^ ^ infitmctifln that may be the start of three mme NOPs (any number, combination and 

20 permutation of suitable instructiom may be used) 

21 the instruction foUowiiig this is a l»m:h to a routine to tcmoina^ 

22 a CPU that is iiot a PCPU wiU execute these nistructions and quickly tcrtnir^ 

23 a PCPU will have the £a(ality to recognise the particular sequence of instructions, this triggers imemal routines to 

24 modify the data in the tauich instruction and or redirects ex&cmai execution to a particular location tiiat enables 

25 r^witwm^ ji i miftv^Ling ftf thft PSQ- 

26 This pnx:ess is tran^sarent to the operatiiig system. 
27 

28 nifiriring m avaSlahility toouiccs: 

29 If the PSO is to ffx rcntff in a ooultitasldng environment n^wre multiple tasks are coocurrcntiy exec ut ed on a time 

30 sliced basis, it is possible tiiat die PCPU has a litnitednunte 

31 u> execute a routine to determine the availability of PCPU resources and any relevant infonnation that the PSO 

32 mpTrn !o rnmmmiiratf> with those rrssaaicesi this inftgmatkHi mav be any son erf infonnation uir lndi n g a reference 

33 task number, and an address or block erf addresses die PSO idtould use tt> rornimmirate with the PCPU, for 

34 cxan5»lethcusercQmmandanddataportsl99inFigure4,andOTdieaxnoimto^ 

35 the PSO and or any odier information. This process may also mvoKe the PSO providing the PCPU with certain 

36 infonnaticm. In tie case of die PCPU described witii leto e tice to ibt drawings, tius nansfer <rf mformation would 

37 usually be via the ruxrymtt^^ addresses constituting the System Command and Dau Ports in the dual port mcnwry . 
38 

39 ShouW the PSO cunentiy be unable to use die PCPU it can take any known course of action, die commonest cf 

40 which may mclude witirring a delay routine and trying again later; an effident medKXl is to call a routine d e signed 
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1 for Ibis in ttae opoanng sftB^u with or widioat a message displayed. A PCFU may have the fiactUty to txansparemly 

2 override the f>[ *^' H'' ' " g system and a message may be displayed for the user to deiamine fumie acrion. Other acdons 

3 may inchide ptogiaiu lenninaiion, widi or witfaoux a message. 
4 

5 A PSO preferably checks various mf onnaticm anrcmly lesidem witfam die secure system memoiy of die PCPU for 

6 the pieaeuce of certain functions widiin the system memory and that they are a vexsiOD suitable te use by the PSO. 

7 This is usnaUycGnfmned by checking diat die atnentvera^ 

8 pamadar PSO, however, it inay use any method Should cenainfimctionsn^ 

9 PSO may be shipped with cenain update infonnaticKi jnchiriftd as part of the PSO and or widi odwr PSOs shipped 

10 with the PSO, and that a PSO may automatically and or at the users tfirection, update die system memory functions 

11 to cuiimt information and may suitably adjust the version immber, and that dus may be a leiupixuiy modtflcation 

12 for the duradm of execution of the PSO and or a semi-pera:ianem and or permanent change. Siould die system 

13 functions not be able to be t^xlated for any reason, thePSOwooldusuaily terminate widi a request for the user to 

14 arxaiige for die isecessary changes to system fimcticms, however, it may take any oti^ 
15 

16 rnndirionsofUse: 
17 

18 As PSOs may need to identify m die PC7U die producer of die PSO (e.g. to log usage and allocate payments), a 

19 unique vendor identity code may be inclucted in the PSO m a positi<m and or any other way that can be determined 

20 by the PCPU. This code is usually consistent on each product from die producer. The invcmkm allows for this 

21 method or any other to diCfe ie uii ate PSOs that arc primarily ccHnmexxnal objects from those that provide various 

22 suppm functions. 
23 

24 To (fifferentiate a particular program from odiers by the same producer a unique p ro g ram identity code (UPID) is 

25 usually inrhirfBrf in the PSO in a known location and or any <Mher way that can be determined by die PCPU, This 

26 may be unique ammigst products from the same producer, however, it may be i d entical to another produa by 

27 another producer. Tluscodeinay be ftafaer used to categorise a pnrticnlCT - piugiam e.g. part <tf the o^ 

28 the program as a game or a wwdyoce ssor. etc, and this would usually be c ommon across all UPIDs, another part 

29 m qy irt wtrtf y ttw vfTSIfffl TOimbf*' t*^ bl^^HTirf "!ay ^ ygy^y !0 ^> ITPID i& imiqne tn any odigs htm 

30 t h?» producer. Any other relevant infomuuion may also be induded in the code. The invention allows that the 

31 various sub-parts of infotmation tnctoded in this code may in part or lAiolt be allocated their own codes. 
32 

33 The invention allows that the billing for the use of a PSO may use information mrJuded widxin die PSO. Any of the 

34 fcdlowing information may be located where the PCPU and or any other applicable devices <k routines can klentify 

35 ic 
36 

37 Currency T^^^fipy * this indicates die currency in wbkh die producer of the PSO is to be paid. It is mahdy used by 

38 the service provider, howeva, it may be used for any reason. 
39 
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1 tlie target PCPU eiJft any new structuie to be created by stq^tyin^^Ltable PSO c ompatiWff i with existing 

2 fiructorcs. 
3 

4 T>f fhnnWmg is a non-exchiave list of comDonents f hat mnv he found in QSI; 
5 

6 PrtT CT ^ ^ of Pgy^ y rnc e nf a PTPU: this is usually execnted innnediatdy after the start of PSO ex eqi t i on . Should a 

7 PSO anm^ lo execote in an CTviramnent without a PCPU one or m u l t rplc adverse oatcomes may resale, for 

8 example die hard drive may be modified. 

9 The yefai ed embodimenis of a FCPU allow access id die secure memory by tiw executlGn of various special 

10 instructkms. As tt£se instmcdons do not exist in a nomial CPU, dttir ex e catian in this euvironmem may cause 

11 problems. The preferred method of ensuring that PSOs are <miy used in a UCDPS that has an apprc^jriaie PCTU 

12 are:- 
13 

14 Common insmicdon trigger a sequence of instructions ihai arc common to a PC^ 

15 *^*'**iiti»H such that a cenain combinaticm triggers various evenis in the secure parts of die PCPU. The following 

16 exanq^ ^bows one alternative:- 

17 protected scrftware loaded into menoory 

18 execution frFm"r«^ at a particular locadon dsat executes fliree no operadon (NOP) instructions in sequence, 

19 followed by ahianch to ttiencxtinsaiiction that may be the start of dnee maeNOPs (any tnnnber, combination axKi 

20 pemmtadon of suitable instructions may be used) 

21 the iigguctiopfollowirig this is a branch to a roudiie to terminate e^^ 

22 a CPU that is nttt a PCPU will execute diesc instrucaons and quickly tenninaic the program 

23 a PCPU will have Hat fnlity to reooguise the particular sequence of msnucdons, tiiis triggers int e rn a l routines to 

24 mocfify die data in die Inanch instruction and or rwfirects external execodon to a particular location diat enables 

25 rP'wtimi^ | w ni>«u.»iii^£ ftf thft PSQ. 

26 Hiisisocess is tran^iarent to the operating system. 
27 

28 QiPirlrii^y rni avmlflhiliiv nf msrmices: 

29 if the PSO is to nrmi tf in a multitaddng enviroomem multiple tasks are caocarrendy exec ut e d on a time 

30 sliced basis, it is possible dial die PCPU has a limited nuinte 

31 to CTcrutff a routine to determine the availabOity d PCPU r eso u rces and any rdcvam information that the PSO 

32 TnpiTr*s m lywrnrttwiirat^ with ttiQge teso a rceg this infonnatioo may be any sort of inforaaatian mclndi n g a refqence 

33 task number* and an address or block of addresses die PSO jdtould use to c ormmTnicatR wifli die PCPU, fcr 

34 j^rpmp ff T*^^c^r wt»nat>ri«iH AtBipnfrtislQQ'm 

35 the PSO and or any odier infarmatiorL This process may also ntvo^e the PSO providing die PCPU with certain 

36 iiiforniatiim. In tiK case of die PCPU described wititrefierenoe to die drawings 

37 ^^ ni ffiiy Hff vift thft nnrnmntftd addfcsses copstituting the Svstem Command and Data Ports in the dual port memory. 
38 

39 Slwuld dK PSO corrcndy be unable lo use die PCPU it can take any known course of action, die c ommnnftfa cf 

40 which may entering a dday routme and trying again later; an effident method is to call a routine desist 
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1 totfaismtbeoperBdngaylaitWithorwidumtam 

2 override the ^ ^ »f Jtt fi » g system ami a message may be dispiayed for tbe user to <tetennizie futme action Other actioEis 

3 may inctudc piDgram tenntnatton, with or wifliom a message. 
4 

5 A PSO pcefoabiy cbedcs various mfonnatim ctmmtly resident within the secore system menuHy of ttie PCPU £x 

6 tteisescnceof certain fdnctioiis within the systm 

7 ThVe ygnaUy mnfrrmflri hy rhwMrnig fhut thp rmtwit vmim mmthgr nf gygtem memnry fimcrinng m gnm»nt fnr a 

8 x*ffnir"'a'' PSO, however, it may tise any method. Should certain functions not be cmieuu die inventian allows ttiat a 

9 reo may be sfa^iped with certain update infonnancm inchided as part of the PSO and or with odier PSOs shipped 

10 with the PSO, and that a PSO may automatically and or at the users direction, update the system memory functions 

11 to curroit information and may suitably adjust die version nomber, and that dus xoay be a tempomry modificatian 

12 for tte duraticm of execudon of the PSO and or a semi-peimaneat and or pemoanent change. Sxuld the system 

13 functimis not be able to be updated for any reason, diePSO would usually terminate with a request for the user to 

14 axraixge for die xieoessarychaxiges ID system functions, however, it xn^U^ 
15 

16 rmidirionsofUse! 
17 

18 As PSOs may need to Idendfy so die PCPU die producer of the PSO (e.g. to log usage and allocate payments), a 

19 imique vendor identity code may be inrTiT^ in the PSO in a posidot and or any other way that can be determined 

20 by the PCPU. This code is usually consistem on each product from die producer. The inventkm allows for this 

21 method or any other to dUT ae mi ate PSOs that are primarily ccnnmexcial objects from those that provide various 

22 suppOTl functions. 
23 

24 To <^erentiate a pardcnlar program from others by the same producer a unique program identity code (UPID) is 

25 usually i nr^i ^^ in the PSO in a known location and or any other way that can be determined by the PCPU. This 

26 may be unique amongst products from the same producer, however, it may be identical to another product by 

27 another producer. Iliis code tiiay be further used to categorise a p articular piogiau ie.g. part of tfa^ 

28 the p r og r am as a game or a wui dpiocessor, etc, and this would usually be common across all UPIDs, another part 

29 may identify the versioa number and the balance may be used to ensure thai the UPID is unique to any odiers from 

30 fh^f producer. Any other relevant informatian may also be in^uded in the code. The invention allows that the 

31 varioussub-partsof infonnation inchided in this code xttay in part ^ 
32 

33 Hie invemiim allows that the billing for the use of a PSO m^ use information included widiin the PSO. Any of the 

34 fcdlowing information may be located where the PCPU and or any odier applicable devices <x routii^ can identify 

35 it: 
36 

37 Cuxtency THmrififfT * this ^'^^^ the cunency in wtddx die producer of the PSO is to be paid. It is mainly used by 

38 the senrice provider, however, it may be used for any reason. 
39 
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1 Persaxol User Devijl^^id - this 

2 device described in another applicadim ttiat lets tbe users <tf one UCDPS tempoFarily or permanently pan various 

3 access and billing u> another UCDFS. 
4 

5 TnnedBasicQiarge(arTBQ-istheimitrBtefca-nseQf tfaeprodttCLl^ 

6 time interval may be usedJt is anttc i paie d flmt usees, will nltiniately cteiHin ii Kt the type of billing ifaey want, and it 

7 will ptpbably be based on a time used basis associarcd with certain frequency discounts and possibly a cut ofiF poim 

8 at wfaidi ttae are no nriditianal charges. The diar^ noe is usually in tams of a standard unit - for exanqile it may 

9 be US Dollars. Whatever standard noe is chosen is usuaUy standardised acnkssPSOs.Th^ 

10 amoum in any currency may be used. The invention also allows that the TBC for various coumries may be cfiffexent, 

11 far farample to allow for e tiffe ne ni eocaxsnic cowfitions. Any particular PSO may "rliwff the entire set of IBCs for 

12 all countries or cBily a subset. The TBC tiiay ttot be available to all regxonals. The invention allows that a discoum 

13 schedule may appiy to the TBC for increasing use or wiiatevcr reason, and that this may vary from one region to 

14 another, and this discount schedule may be stored in the PSO. Further discooming may a|^y for different types of 

15 users, e.g. govcnunem, education, business and pan or all of this information may be stored in a PSO. Various 

16 vendors may wish to offer various discounts for existing customers ygAsea an t^xhued version of their product is 

17 released and or wbea a new produa is released and these may be stored in a PSO. 
18 

19 The usually hidudes one or multiple transaction processing codes n> itidt 

20 Thismay vary frmn region to region and eadi PSO may have a list that inch^^ processmg codes for all 

21 commies or any subset. For any particular country, there may be diflei e m codes for different groups eg, gov emmcm 

22 users may be billed using a (fiffereitt method to business, and the omibinations used may vary from one region to 

23 another. 

24 While nm an exchisive list, die foUowing are the more common types of tra 

25 a} ThePSOniaybecfistramtedatiioamudoost,withihecastoitterpaymg 

26 b) Tlie PSO na^ be distributed at nomiiwl cost, with the custonwTpayiiigte 

27 key (at no cost) is required to activate the prognDxi. 

28 c) The PSO may be distributed at nominal cost, widt the cn srnmer paying for time used, however, a data 

29 key is required to activate die program and there is a diarge for the 1^ 

30 dse relevant iixed basic charge fidd. 

31 d) The PSO iiiay be distributed at rioaunal cost, however, a data is required to actt^ 

32 and there is a charge for the key, however, there are rtoconttmiing charges. 

33 e) The PSO is only supplied cn receipt of payment, with additional charges for time used. A key may be 

34 required to activate the program. 

35 f) The PSO is only supplied on receipt of payment, however, there are no ariflitinnnl charge. 
36 

37 The PSO may be one that is generic to muItipLe PCPUs (v customised to a particular PCFU. 
38 

39 Evcm Basic Charge (or EBQ - the invention allows thai usage of software may be based on the number of times the 

40 program is opened and or any other evem based tiiecfaanism. The Evcm Based Charge is die 
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1 <tfbillmg.AUafte 




and or discounts and or roQuii eincnts described 




above nppty for Event Based 



2 Charge and will not be repeated, however, the various combinations and particular options used may vary from the 

3 TBCinanyway. 
4 

5 Hxed Basic Qsargc (or FBQ • this is a fixed charge to use ttie sofitwaie and may be a one off charge that 



8 far TEC above may be qiplicable for Fixed Basic Charges, however, the various combinations and particular 

9 optiaosusedmay vary from TBCinanyway. 



11 Ttansacd<m processi n g codes may be ooostmcted to detail any mmbfimrion of billing processes and discounts and 

12 anydxmg else. 
13 

14 The ability to distribate software in massive quantities with very low t^ifram costs to the user m^ provide 

15 significant changes to the methods of marketing and advertising software products. One method may be to pennit 

16 the user free or di^FrTnTT**^ access to various products, particularly new prodncts. This may include various 

17 promotional srhf^^^^ codes (PSQ withhi the PSO, that may be designed to adiieve any outcome that is pennitted 

18 by die PCFU, that the PSO executes on, and Ibis may inchide codes lepi e s c tulu g anything to do with promoting any 

1 9 son of produa using any known method, hacludmg:- 

20 • a list of disooonts and the time tbey ajqply may be inchidrd within the PSO, and ihey xm^ be multiple. The 

21 discouitts noay be any valiie; and inayresuh in free software for variatde;^^ 

22 for a producer to pay a user to try dieir product Particular prcHnotions may have a use by date attached to them. 

23 • Another zpproach may be to generate a random mmiber in the PCPU each time a program is initiated or on any 

24 other basis. Jf this matches a code in the PSO, then various free program time may be provided on the current 

25 PSO ffixl or aix)Cherpn>gram by the producer and or various prizes may be gi^ 

26 • The software may also be mtde available to a potential user with pan of its fhnaions disabled, and no charge or 

27 a nftmingi charge applied to the use of diis partially disabled program. This may be panicnlariy useful for 

28 pr o g r am s that may take time to assess, for example a new acooimting p r ogram , ^«tore a potential co stmner may 

29 warn to fiilly assess the package prior to committing to a dungeover from an existing system. The activaiion to 

30 afiiUy operational system may require a key (that may or may not have a charge) or stmpiy require the user to 

31 execute a program that xrutiatesthne and or evem based billing, or any othe^ 



6 sufryqnffft^^y r«^ttg ^limitM ««««« an thflt T imps nr a ghnrgg that grants access and then bffl« nn a nrngg hagig 

7 using any oombinatiOQ of die previous methods. All <tf the options and or discounts and or requirements described 



10 



32 



33 The infonnation to perfonn any promotional function may be tpc^kwi in part or ^^le within the PSO, however, it 

34 would usually rely in pan or whole on secret processes within the PCPU to prevem unauthorised manipulation of ttic 

35 promodons. 
36 



37 Certain software products may be imsuitable for use by panicuiar groups. For example, certain countries may be 

38 r e s tricted from ^gi*ig software because of security concerns and or because it may oEfend certain cultures and or 

39 other sofiwaie may be unsuitable fat duldren and or it may be restricted to certain profiessioiis and or it may be 



Page 44 



wo 97/25675 PCTMU97/00010 

1 re stric ted to tise at c^Ho times and or for any other reason. These are re^^ced as Gnnip Rcstricdon Codes (GRQ 

2 and may be i n d ndorf inapanjoilarPSO to limit access to various categories of user. 
3 

4 AnyinfomiationiiidodedinapanicalarOSIxmybecomeobsolm 

5 and discounts. Any infonnation contained in a OSI may be replaced in part or wiiole with other more readily 

6 updated information stored in any suitable location; this may nir 4udg locations within the PCFU, and or various files 

7 stored on one or multiple mass storage deviceSt and or distributed with mfaer PSOs^ and or distributed as pan <f 

8 OJdessuifiiied to nsen to update PCPU credits and or any other reascBuaxi^ 

9 subjea to the overall control of die service provider who can vary the actual anxnnu charged to any pgn^nilftr user. 
10 Tlie billing process is described later in this plication. 

11 

12 PEUt or all of the information within the OSI is usually reliant on known tnfonnatian widm the secure system 

13 memory of the PCFU to correcdy interpret and or execute the various functions, h^ PCPU 

14 memofy may be reprogrammed by suitably encrypted extenal mfonnation, part or all of i^uch may be HirJif ^ 

15 within the PSO, the specific requxrements of a particular PSO may be met by dynamicaOy modifying part or all <f 

16 the secure system menaorv. Aririitifmal flexibility may be gained by loading any reqimgd part nf th<* psn mtn cpt^p^ 

17 user memory for execution. Although various functions have been detailed for die OSI, in pntctice a muidplicity of 

18 ^ledal funcdons may be included and diese may occur during any part of the execution of the PSO. 
19 

20 Mcttfflfl to update dig PCFU: 

2 1 Anodier step in die preparation oi a PSO may be to include in the PSO various routines and data diat wiO execute 

22 automatxcally and or under user control to update various informatioa on the UCDPS for any reason and may 

23 indnde:* 

24 update the secure system memory 

25 * update various files stored on a UCDPS that contain various billing inf onnaticHi or discounts or fq pm fll 

26 promtHions and or any c^ber infonnati o'n . 

27 These update finKrtions may be inchided as pan of the actual PSO and or as pan c£ one or more other PSOs: These 

28 odxr PSOsmay be created specifically for the purpose and or nxsy be parts of odierPS^ 

29 PSOs may be supplied to the user with die said actual PSO and or may be supplied separately. 
30 

31 Ermr anrf Vflliriify riwrirhip 

32 A PSO, and the PCFU with wiiich it is to operate, are provided with a number ctf secure mechanisms to protect 

33 agaiitst unauthorised analysis of iiifannarifm aoredwidihx As there na^ 

34 that manages to a)iiiinwnise die secnri^ of eidier, it is n nticlpaff td that a number of attenqns will be made to 

35 oomp'^Qaose the security of both, and ooe method may be fl**"^ at changing various parts of the PSO in an attempt 

36 to analyse the varicms ontoomes. In order to protea against this and also to detect getnm» errors in the PSO, it is 

37 usual to use one or more enor azHl (s validity checking processes on inf cnmatiCHi within the PSO, and these may use 

38 any known method and apparatus, and these may be d epcrt d ent in pan or whole op fimctions within the PCPU, that 

39 may indude:- 

40 • routines within system memory, and or 
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1 • vafioas algoritisns tmplemeDted in h ardware widiizi Hog PCFU, and or 

2 • xomiDes loaded ton extenial sources (usually, in 1^ 

3 • loaded ton the PSO(usDaUyt in part crwlx>le, in encrypted fonnaO 

4 * any other source. 

5 The enor rhf^^^g and validity cfteciring is a process thai usually occurs in total secvecy at both ends, widi the 

6 ficnriceinvidertte only party that knows the process. The service pvovida is aware of the processes availabte 

7 any particular PCPU to exnaa and validate any parity infonnatioa axHl or CRC information and or any odser 

8 information, and the method used to take the actual code of the PSO and generate the crprcted parity tnfonnation 

9 and CRC infonnaticm and any other infonnation, and the methods to deternune whether or not the erpected 

10 QifcHmation n^ff^*^*^ the eioracted information. The service provider can take a PSO at any stage or stages in the 

11 coswersion prxicess fixan software objea to PSO and analyse the infoimatkm aixl add and cr diange data in such a 

12 tngntiffT that the (»tcome when nm tfaroogh tbc enor and validity checking process in the PCPU will not detect any 

1 3 enors. Shoold one or nmhiple parts of the PSO he changed hy an onaothmised party, then the cxrcr and or vaMty 

14 ^Hi»ririTtg pxiri>gie in thg PTPtT will detgsct the mndificatiQns and may take anv known acrion. mdndinp those acticDS 

15 described later. U the service provider prepares a PSO for error and validity checks and dse process complements a 

16 protocol preprogrammed into the PCFU« there ntay be no need for ariy other ariditinnal information widiin the SPO, 

17 however, if the service provider follows a vari<d)le pattern and or lUHi-^^ infoonation 

18 may need to be induded within the PSO to pennit ccnea analysis at the other end, and diis may use any known 

19 mahod. As part <g aU of the PSO will usually be subsequently encrypted, there is no practical way for an e]ttexnal 

20 analysis of the PSO to even hint at which apparendy me^mingless data is pan of cnor/valklicy diecktng and ^ddch is 

21 encrypted informaiion. Furdiemiore, the error/vali^ty rhffcktng information may itsdf be encrypted. Furthermore 

22 the system usually only needs to woik in one direcdcm * provider to user, although some processes may need to be 

23 iw<iiA>rf within die PCPU to generate error and or validity diecks on infcamaticm that is to be stored in encrypted 

24 format in external resources (these are disaissnl in more detail in the i^jpticadons dealing with these devices). Any 

25 number of enor detection and validity checking processes may be a^^licd and diese may occur during various levels 

26 of ite encryption process. The invcniion also allows that error and or validity checking may be pcrfonned on part or 

27 all of the PSO widi die actual mediod to reverse this induded widiin die PSO, and as long as part or all cf die 

28 method to reverse is cMCtypted and die reversal process occurs in secrecy, there is no means of revexse engineering 

29 the process, and the methods and or apparatus used may be any known method and or apparams. 
30 

31 Pnrryprinn Af thft mfirmnflriftn tn cTMtft thfl Protected Software Obtect: 

32 T>*^ fitwi gtffp in thft marion cf a PSQ is the conversion of die scrftware objea as supplied by die producer together 

33 widi any lyVfft^oMi hiformatksi as previously discussed lo a protected pn^ram that provides die security agamst 

34 illegal use of the program. By encrypting the PSO using any known OKiypUcn me t h od and any combinadon of 

35 known enyption nm hods, ^^'''" e ^ processes described previously, the software object is convened to a PSO 

36 that in part or whole may only be executed internal to an apjHupriate PCPU. The software object may be encoded to 

37 fiff nr^ ^ ^^^pi^ nf cnmplmty . The software object is preferably analysed to dctemrine ^wtoh parts w^birft 

38 encrypdmi, vAm mediod or mediods of encrypion should be a{^ed and any ancillary arf nrmarinn diat is required 

39 to support ttiese methods The acmal anrangemem of hiformation widiin any part of die PSO w effect various 
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1 oiirromrs will be 




variable with the cxoqitiGn of oenain 




by a igfftirailar PCFU, and as the 



2 present invaitioa allows for the provider mpplied PSQ to he flerihlg and the fimgrion* wiUhm » pflf^Hllffr PTPU to 

3 be progtBnmoBd in a nmltiplicity of ways» tbe vazioos condnnatiaos and pernmiatians to ediieve the same outccsne 



5 

6 Qnediting fimds mtn a PTPU fand or efl«r PCPlTii 

7 The present invcnmm allows thai a part of the secure system memory of a PCFU may be secmciy programn^ with 



9 software usage (and or any other applicable uses). Vacioos secure iftr^n^Kt within the PCFU within a particular 

10 UCDPS may contain codes that are unique to that panicqlar PCFU and these codes are usually secret A particular 

11 PCPU usually has a pnbfidy accessthle decnonic mgnanm that can he msed tn identify « pfir ri<;wlflr TTrpi>g a 

12 particular PCPU may also have other cfaaractoisdcs that are unique to a particular PCFU, for ^^fmplr, p^r^^^ 

13 sofiwaie routines and or encryptiooAlecryption piocesses and or any oifaerqiplicaMe variaiiop- Beg^nje^ of ^hp secnrr 

14 nmnre d infonnation comaiiifd widiin a PCFU, it is prefianable that conversion of a software cA»ject into a PSO is 

15 pff rfoim ed by a service provider, and that the actual infonnation widiin PCPUs is maintained in a secure 

16 envinmrneot. When a UCDPS is initially ^tapped to a custcmier, it is likely that the PCFU has no credit vahie 

17 prograrmiiedwithm and may imt be actxvared to execute PSOs. The process of activating a particular PCFU may be 

18 flCCnmplishPiri by any methori anri nppgratitg, irtrfitHiwg' 

19 1) Hxe user mntm% a service provider (using any method, the most conveniBiit usuaUy being via a inodem) and 

20 supplies the service provider with the serial number of the PCPU, the flnfoi m t of credit required, payment details 

21 (dm is preferably a credit canlpayinem) that ini^ use any kraswnixietii^ 

22 2) Using known details about various inf otmation within that particular PCFU, die service provider uses the 

23 requested amount of credit and encrypts this amount using any known Tn^^ho^f and apparatus (and an experienced 

24 peracm should be able m devise inult^letednitquesba^ on the encryptitm^ 

25 The enciyptiflp pracgga that may tm mry mfnmntim (inrJ^tHtwg fiwi^, gfi^ tfatf fP*^ ^ any trthff ttmquf' and fT 

26 global information within the PCPU and or that may be securely transferred to the PCPU, using any known method 

27 in c h i dfn g ttiose described in this tq? pUc a rion) u> generatesaone tin^ code that may be decrypted ^wtlm the PCPU. 

28 3) The one time code is transferred to the user of the PCFU and entered into the computer. The code is decrypted. If 

29 an error is generated, the user may be advised. Ooce the amouru. is c^ » r ff H wt dK nominated crecfit is progtanmed 

30 into any ^^yiu|aiate secure non^volatile location internal to die PCTU that catmot be tauipcted with. 

31 4) This process xoaf activate die PCPU if rett ui red, however, the p re feiie d detenmnant as to ^i^iether or not a 

32 particular PCFU wiO execute one or riudtiplePSOs is based on the aniouiu^ 

33 5) The available credit is progressively decremented as various PSOs are used, and the present invention allows far 

34 any method and apparams for billing for PSO use. 

35 Q Software iisage of various software objects may be logged. Tlu^ 

36 7) When the credit amoum is decreaoented to a predetomined anunmt (atttl said predetermined n»y be by the 

37 service provider and or the user) die user is advised diat additional crecSt wiU be required stody. Ibe mediod of 

38 advising the user of an imminrnt shortage erf credit tnay use any method and or appaia tu s, however, as the programs 

39 that tmpfcmffnt this process are preferably fixrraiting in part or whole from within secure mEmoty to t hff 

40 PCPU, the facility exists to gpygaie an internal interrupt and jump to an appropriate internal and or external 



4 are (rfyvions, once the specific reqiiiienepts and one method of achieving this are described. 



8 infonnation that inriifatcs an amount of credit (using any method and or currency) that may be cScset against 
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1 p rogr am , Ttm may oocnr^^iy time, with tfae most usoal being stoUy after a system xeset Hie process may be 

2 txansparem to the opexating systtm. The facility exists, using a ^milar process (and or any other method and or 

3 appHiHTns) for dxe user to geiierare a cuneot lepori of available credit and or sotftware object use. 

4 8) Ite the second and subsecpzem contacts with a service provider to leta 

5 addition to providing the service provider with the electronic signamre of dieir PC3>U« tfae user will usually be 

6 required to advise the service provider of a code (that is securely generated widdn tfae PCPU using any known 

7 method and apparatus within dK PCPU) that ms^ include cunem tnfonnatkm on remaining credit (diat may be 

8 2en>) and may tnchide information on the usage of part or aU software obj^ 

9 9) Step 2 is iqpeated, however, in addition to crecfit infonnatiott, the code siq)^^ 

10 encrypted message that infonns one or muMple routines within the PCPU that infonnatim pertaining to software 

11 objea tise has been received by the service provider. Storage locatims allocated to this infonnatian may then be 

12 cleared. 
13 

14 The present invemion allows that althou^ the process as described requires prqayment far sendees, die process is 

15 also compatible with the provision of credit within the PCPU on account tenns widi selected users, and the credit 

16 amoum allocated wouldusually besofQciem to cover expected usage (or may be any amoum). The actual amoimt to 

17 bill the user may be ralrwlafrri by sutaacting the amoimt of credit remamtng finom the amoum supplied in die 

18 previous period and or any other method and apparatus. 
19 

20 A user friendly menu system may be used to assist part or aU of the process described above. 
21 

22 Momtofring Ac use of protected sofftware objects! 

23 The present invention allows far any known method and apparatus dsat can mcmitor and or record die usage cf 

24 PSOs (and or sttftware objectsX and prcfoably one dmt is compatible widi rnnltitasVing pr o giams in a single 

25 processor and or multiprocessor environment, and prefierEdHy one that prov^ a tamperproof, secure system that 

26 Qpenues in pan or whole from wiifam a PCFU and or aiiy other sro, when the UCD 

27 or ^i^ien independent and connerted to a lecwcHk and or wtiea independem and cormected to huemet or i^milar, for 

28 its ooneaiimcdoniixg, and or when the UCDPS is dependent in part or whole on connection to a network, and oris 

29 dffinfirifnt inpart or^i^ioleonconnecticm to tfae huemet (or sinnlar). In a single task UCDK the SPD usnaly starts 

30 recording usage ^^len activated and tenninatrs when die PSO finishes. The pief e ued medKxl in a multitasking 

31 enLVironment ^i^tere usage is timed is to gencaie an intcmal interrupt within secure iniciuprocessur on a periodic 

32 basis, and said iniwnnu activaies a rontine within fntemal secure memory that retrieves the fionttnts of the program 

33 counter of die system naicro|gocessor at die time of die inieiiupt and compare tiiis widi an address map generated by 

34 tfae PSO to determines vi^iidi program was exftcuring during the imeiiupL The invention allows for any combination 

35 and or pemmtation and or weightmg &r usage of any one or multiple PSOs. Evem usage mi^ only require counting 

36 ftff n ifgnw> « nf thft ttwnmri m/mnt m m^Pt mi umitrinwlfing TITTUPS The USUge Of PSOs iS USUally TeCOCded iU part 

37 or ^^lole widiin secure internal memory, however, the invention allows that part or all of die infonnatian on die use 

38 of PSOs may be encrypted and suned external to die PCPU and or UC33PS. It is preferable to keep mffirimt 

39 infonnatian on PSO use ttitemal tt> die deidce, in order that a software vendor receives the appropriate payment in 

40 die evem dmt external stmage of dus information is corrupted, in which case vMU diere may be no detailed 
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1 basis^ and said pendlVkasis may be any period fmdkm^ 

2 required to icport to tbe service provider when a cexiaiu number of eveois have iKnirrffl. that may be any 

3 cornhmflTian of events, tndoding tisc number d times one or moiltiple PSQs have been used, and or a user may be 

4 required, to provide a repon to any amhoristd par^ fos any reason; those PSOs that do not require the presence of 

5 avail^le credit within the SFD may share any of the reponm^ r eq uiM n e ms discussed, however, they usually are 

6 indqsendent as to the state of credit within the SFD. In practice a mix of methods m^ be used and a periodic report 

7 may be required. When a report is reqoixed on a periodic basis, a secure bauery backed realtime clock/cakndar is 

8 the pi e f e u ed source of detennining (in conpmctiQn with predetermined and or otherwise infonnation on dse dme 

9 intervals to be used) when the reievam time interval has occmred. When available credit eaqsres and or a certain 

10 date and or time is reached and C7 a certain number of events and or type of events have occurred, pan or all of the 

11 functions of the SFD may be (fisaUed. 

12 Whatever the trigger point for requiring Uie user to supply tiie service provider with a repcn generated by secure 

1 3 medtuxis within and or in coojuncdon with the SFD, the mediod steps to supply said repon and to reactivaie die SFD 

14 for further use rriay use any riiethodaiid apparatus, ttichKiirig: 

15 1 ) When the SFD determines that iiuemal and or external information is due for reporting to a service provider, any 

16 method may be used to alert the user, and one pief e ued method uses the ability of the PCFU to call routines 

1 7 transparenUy lo the opexatii^ system by having the secure microprocessor DMA infcnmanon to dt^lay memory and 

18 this fadli^ may be used to overlay a message on the display device d die UCDPS advismg diem lo execute a 

19 program that wiHgeiierate a rqxHt arid this is preferably at the start of a processings^ 

20 2) The report gexieratcs: is executed arid this inay display a merm based system to assist then 

21 If information is lo be transmitted to the service provider via a modem and any return infonnation recdved by the 

22 same method then the process may be fiiHy mnnmafrd and transparent to the user. The invention allows for any 

23 method and apparatus that assists the user with the irocess. The report generator usually triggers routines within the 

24 SFD dsat collate and encrypt die infonnation to be supplied to the service provider, with die mformation usually 

25 iiyJuding one or multiple unique identity codes far a particular SFD, and this may and or may not be encrypted. The 

26 report would usuaUy be integrated with any infonnation to be supplied to a service provider as regards credit 

27 remaining within a SFD. 

28 3) The user contacts a service provider (using any method, the most convenient tisually being via a modem) and 

29 supplies the sendee provider with the informatmn generated by die repcn generator. As mmtinned. if uang a 

30 iiiodem this pnocessiiiay have mumnal user ifUerventioiL a imidemi^ 

31 any method, jnrJtKfmg as a file on a diskme and or the information xiiayte may beveri>al 

32 or use the numeric pad) and or any other method. 

33 4) Qnreceqitof the infomatinn the service provider detennines the electronic signature of the SFD generating the 

34 repOT and using known details about various infonnation within that particular SFD decrypts the report and 

35 confirms that it has not been tampered with. 

36 5) Any n«hod may be used to collea paymem for any amonnts payable as a result of txse of software objects and or 

37 any otherreason. 

38 6) The service provider pi e pm e si a one time code using any method and apparatus that may be correcdy ixuerpreted 

39 by the target SFD and is usually ^jedfic to a particular SFD. 
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1 7) Tlie<me tinieoo(feis tr^^xmltotbettserof theSTOaod^^ If an 

2 ertar is genoated tbe user may be advised. Tlte purpose of this infonnadan is usually lo advise nwtines widun die 

3 SPD dmt a coaccdy encoded iq)ort was received by d»scrvi^ 

4 CXber isfonnatiaa, e.g. oecfit may be Inciuded widi said one time code* Tlie normal process preferably provides a 

5 yyprfft ^ wtcim* cmtirmed nse of PSQs prior to the expiry date of the cmrent peiKxL 
6 

7 With the excepdon of the perioc^ updating cf internal credits and the xepcming of software usage the method and 

8 i^params of software protectioa and disttibution may be nanspaxeni lo the user. As long as paymeots are made as 

9 required the user would treat a PSO as they would any prescaxly available software object. 
10 

1 1 The invendon allows that a user may purchase a particular PSO for tmlhnitftd use, and this may use any method and 

12 apparatus, inctuding debiting the cost of the PSO from any availalile internal credit and settling a code such that 

13 diere is no fMher lulling for use of dus PSO; one n»diod allows for a file to be kept on a suitable mass storage 

14 device attadied direcdy and or indirecdy to theUCDPS (referenced as Exenqit PSO or EPF) and diis may store* 

15 usually in cxoypted fonnat (in pan whole), a vendor code and product code and a code that is tntiqae to a 

16 particohar PCPU for thai particular product. Said code is usually created ^idien payment is made atsd dus may be 

17 amomadc^rtiendiere is available crectit in ti« PCPU a^ 

18 paymemandcranyaannudx3d.WhenaPSOiskiaded£arexecodon,roudi^ 

19 file and ffri'™"^ ^^lether or not a particular PSO that is normally charged on any type of usage basis* is exempt 

20 ^om this process. Oiiealtenianve is for the service provider to credit any 

22 A variadcm on the method and apparatus described earlier allows for a certain group of programs to be used on an 

23 imliinited basis fiy a period of tnne, for one fixed diarge. This may api^ 

24 be used for SX per momh, where X may be any amoiuu. A periodic report is required to determine usage of die 

25 diffexent games in order to appropriately pay the vendos of diose games. The acmal in rata allocadon tt> various 

26 vendm may be made by the service provider using any agreed fonnular. This may use a ^Kdal code widiin die 

27 PSO and or the CDF and die EPF and or any odier mediod. The invention allows diat muluplc software object 

28 gro u p in g s may use tiiis variadcm and the amount diarged for one grouping may be the same and or diffisrcnt to odicr 

29 groupings. 
30 

31 The irwendon allows that pan or aU of die processes diat require the user to sopp^ 

32 pan or all of die invention for any reason, may use any mediod and i^iparatns to prevent attempts at creadng said 

33 codes by trial axidcnor and or any odier mediod. widi die prefenedsu^ 

34 roi2tine(s)wittun secure intenoal memory diat log in non-volatile storage invalid attempts at entering codes and pan 

35 or aU of this information may be stared in one or multiple external files, that may be dxrecdy and or indirecdy 

36 to die UCDPS. The invendon allows for any action to be taken jncluding. disabling the PSO and or 

37 nmltiplc PSOs and or d^ PCPU and or all processing equability, and dus may be done uring any mediod and 

38 ap paratus . 
39 
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1 The invention allcw^^ a user who has purchased in pan or whole ont^^^uMple PSOs and or rmr\rf\ fietpteocy 

2 disroimT^ cm one or muluple FSOs and or any ocher reason, may wish to port these to another SFD for any reason, 

3 mrJiiriing that the ttsg has noTchased anew mirhiTTc^ nf imy wir^^ y 

4 in one or multiple PSOs to another user. The invention also allows that one or multiple PSOs may not offer this 

5 facility. The invention allows that there are mnltiple known and apparzxas to achieving thic inchiding, the 

6 p r ef erre d option that may involve ihefoltowmgmedxxisii^ 

7 1) the tiser activates a program lo revcnse various csqiahilides granted to a particolar SFD, to exanqde activation 

8 codes and or discount schedules. This would usually ^iHitt^ a menu type screen en die display device, yjeitig the 

9 method previously described, of die UCDPS to assist the process. 

10 2^ the user TKmrnmesdMse PSOs that are to have part or aU tights rfusairm^^ m ann yhfr {9Pn 

11 3) the pogram m^ diange various internal locations and may diaxige various external loc ati on s such that ^tgring 

12 rights are no longer valid on die SPD. - 

13 4) encrypted intomation is supp li e d to the service profvicter trultcating that various access rights to one or ntniti p^e 

14 PSOs have been mnritfied, and die encrypted intomation (using any method and a^^aratus) is decrypted and 

15 verified to valitfiiy, using any method and or as^WBtus. 

16 5) the user nsuaUy mfonns die service provider (tf die new SPD ^ 

17 This may be multiple SFDs. 

18 6) any codes and or discounts and or new versions of encrypted KOs are prepared to the nominated PSOs and 

19 supplied accordingly. 
20 

21 User Password: 

22 Certain intomatian is preprogrammed into the PCFU prior to being made availaUe to a user and s my- of diis may 

23 resina the user of that particular PCFU from various functions availidile within the PCPU and cr available in 

24 various information supplied by a service provider. An example may to restrict users of a pa n^gitar country firom 

25 various services. The invention allows that some of these restrictions may be reprogrBonnable with infoni t ftti ftn 

26 supplied by the service provider viMtt other information may be iixed. A user of a UCDPS equipped with a PCPU 

27 may have various restrictions that (bey want placed on the use of tie PCPU and these would nonnally be 

28 programmable by tte user, and these may included any aH » o v e d functions, using any known method A user may 

29 want a master password for dwnsdvcs and this would usually be stored within con-voladle storage eif^fwrnts of 

30 sy^em memory « and the c or rea entry of diis may be required to activate die PCPU (In the case of a PCPU the CPUs 

31 within may be disabled). Additional pas sw or ds may also be required diat allow limited access n> the PCPU* f<r 

32 example* certain passwords may be attarhfyl to diildrcn to prevent diem from using unsuitable software; or certain 

33 employees may be prevented tem jriaying games on dieir computers during bnsness hours. Certain functions may 

34 also be attached lo various passwords, c^. to monitor tisage. 
35 

36 Any {ffogram and or data diat is prcpiogramnnd into a PCPU may in part or wbo]c be de same as those within 

37 other PCPUs and or may in part or whole be urnque to other PCPUs. Any pu i g i H iii that is currently within secure 

38 memory may call on any cnxrcntly extrnial programs and or data and or a p imia ms to assist die functions of any 

39 progranL 
40 
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1 Pmtaetinn of other fm™ ^nfarmaiim: 

2 The prrscni ioveatkm also allows for the lftd«g'"» of part or ail of the method and apparatus desc rib ed m this 

3 ipplicatioa when used m raynprtwrinn 0n any manner) with any secme apparatus (that may be one or mnltipike 

4 devices) for nse in: 

5 the secme decoding of encrypted (in port or vi^le) vicfeo tnfonnation and or any other cnciypced Qn part or whde) 

6 visoal informatioiu ft"^ or the secure generation of the necessary signals to display the decoded iofbmation on a 

7 suitable visual output device, with said necessary si goals pretaabty constrained within a secure location within said 

8 visual output device and or 

9 ttesecoredecodingof encrypted Oil part or whole) sound infonnadoQ and or the sec^ 

10 inftmnaticm of the necessary agnals to drive a loudspeaker (and or equivalent), with said necessary signals 

11 preferably constrained within said loudspeaker (or eqoivalea^ 

12 the stxurc decoding of encrypted (in part or whole) text as may be the case with dectronic books and or newspapers 

13 (and or any other printed matter <tf oommenaal value that is publidied in electronic form) and the secure generatioai 

14 of the necessary signals to diqilay the decoded tnfonnation on asoitable visual output device; 

15 diis particttlarly ^^es when said secure apparatus securely monitors and or logs ((firectly and or itidirecdy) the use 

16 of ifae encrypted information as it is decoded and used witinn said secure apparatus^ atul or 

17 that ti kM ^ (directly and or indirectly) one or multiple methods and apparatus to ensure payment is made for said 

18 use. 

19 Any combinatian of software and or hardware aiui or miciocode may be used to implemem tiie method and 

20 apparatus, with ihe p r ef erred method and ap par a t u s: 

21 retrieving pricing xnfoixnation from the encrypted infonnation; and or 

22 t^mirt g thft iiiee (and nff couniing the frequency of nse) of said encrypted infonnatiop; and or 

23 storing this within ihe secure qjparams (that may inchide secure 

24 volatne storage elements; and or 

25 rirfii ttn g ?n gmft nnt «f alectmnic fimds previonslv rmhrddpd within the secure aptwratus; and or 

26 xeconiing an amoom to charge at a future date; and or 

27 gottrating a report of usage (i»cfcmbly with a breakdown for each vendor and 

28 infonnation provider (and or agent); and or a 

29 sysicmtocnsiireihatsaidrqxjrtof usage has been received by the rdcvam parties; and or 

30 that may disdilc part or an of its capabilities in tteevcm that dectronic fimds 

31 exceeded and w a report is not provi<tedu>ihe ictevam parties and or that pcriodk 

32 said relevant parties; and or 

33 T>^^t may br npffflTH »"th additHmai riecnnnpic fimds and or any previously used (<y exiMred) credit limits reset The 

34 encrypted information may be supi^ed on any machine readable physical inedm 

35 tHoadcast using any meduxL 
36 

37 When an external PSOrequires to access the SF1>, the xKirmal process is to: 

38 a) Wocimterrupts if reqtmedaflMt write a coiinnand to the system 

39 b) the process of writing to the pon preferably generates an interrupt so there is a rapid response from the secure 

40 xxtkroprocessor, otherwise there may be a delay while it is polled. 
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1 C) die secnre microp^fcsi3f writes to the aygtem Cftrnmanri mitpif pnrt a iB^. yhat in^n^t^ tf thpyy CQITCntly no 

2 resoorccs and aDOther value if there arc resources, together with the address and size <rf a user command inpixL and 

3 output pan and a user dam input and output pon. It clears the value written by the system microprocessor into die 

4 system ootnmand input port. 

5 d) the PSO reads the infonnatian finom tiie system ccnnxnand output port flrtrf reactivaies izsexrupts. 

6 e) if lesuuiixs are concntly unavailable to the PSO it may enter any known delay roathie and try a gn?" later. Tbe 

7 option exists for it to branch to amntiM to advise the nser that thft wnil^ifTKlring e^bility of the T TCPPS is cnrr r»ti y 

8 fully extended. 

9 f> if granted access it saves the appt upi lata user pnrt m famwrinai in an ^y;ceiB?th1e flTH^ " m y fpa d artri writft tn 

10 these ports as required. Ihere is no need to disable intenrqns wtoen flrr^inf^g the tiser pens allocated to iL There is 

11 !K> reqniienieiu to mot^ the task switching routines of the Tim gygtem, 

12 g) if the sn> has granted a PSO access to tite SFD dien it prefex^iy stores relevaminfoniiationidxnit die PSO user 

13 partition in a known In rarifin in the syaem partitiflp, iiimfllly m^h rnfnrm^fm pn o^h^ paer pOT'tions. 

14 h) the SFD waits tmtii die PSO starts writing information to its user data iiqint port, diis be triggered by an 

15 intemqn or polling of Inrations arid or any other iriethod. 

16 0 the SFD transfers die infonnatian into the allocated secure user partition. This may be don e via the user input 

17 port and or via Direct Memory Access (DMA) or by direct programmed I/O by the secure nnctoptocessor and or 

18 anyodmnieduxipennittedby a particular enibodnnem of die mvennon. 

19 ft PSOs nsnaUy iaclnde various infomiation to fl«sia the SFD in «Mitkm tn viirioiK enerypinn Mitri vfllitl ity riwifflfiwg 

20 intoinaiian. 

21 k) various system funciians are activated to decrypt aitd validate ti^iere appaopii ate and extract ttlier jnfoimatian 

22 rdevamwibeFSO. 

23 m) the PSO may be detenniDed to be a valid System Soppon Objea tliat is required to be loaded into the secure 

24 system pa r ti t i on to addresses dctennined by any nurthod. The system Suppcn Object may iiyt^iH<» data and 

25 C iwnmiinris as to what mat ef {i w MS e Mu ng « regnirwri mA nr it may i^fn ^ ^ m «»TWf!tfn^W p inyir w^TPf^ffi^ 171 aihigh fifty- 

26 secure mi amauc e ss orwUlbe directed to execute this p rog nm . 
27 

28 This is usually granted if the SFD currently has lofficieat resources. Tlus woukl nonnally be the case in a single 

29 tasking systetti, however, in a irmltitaskiri ge u v ii uumei i u an PSO tiiayrteed 10 wait Said wail m 
30 

31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
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1 Thedaiinsdefinixig tfaemHntioiiareiisfoll ws: 

2 l.Axnetbod of distxibadng software bjectsfromaprodncerioapotemialuserco^ 
3 

4 eqpupgsDg a oscr ffintrotlwf data p t) ce ss ing system with a secitt processntg (tevice, and ssdd user comoOed data 

5 pt o ce sh u ig system equipped with said secret processmg device is reteed to as a PUC!DPS» ^(totin said seoet 

6 rfo ftft ?W M "g device of said PUCDPS may be c ouligui ed to be dependent in part or whole on tlie coupling of said 

7 PUCDPS for part or all of the time, to one or mnltiple remote ootnpatm and or any other data processmg devices, 

8 however, pan or all of said secret processhig device may apexsoR and or be oonfigtired to operate in a stand alone 

9 PUCDPS and may remain oper a t i on a l for extended periods after said PUCDPS is removed from a source of power 

10 one or mtdti|de times, arid OTUKyved to ififBaem locations, aiid or 

11 that would normally disrapi processing on said PUCDPS; 
12 

13 providing one or multiple service providers, widi part at least of seoiK information widiin one or mnltiple said secret 

14 p io cessia g device that is required to provide part at least of the services required by one or multiple said PUCDPS, 

15 >Ktoein said service providers are the agents of said producer, 
16 

17 provicfing a software object; 
18 

19 mocfifying part or all of said software object such that it is functionaHy limited to require said PUCDPS for coantea 

20 processing (in this claim execution and process and processing are interchangeable and refer to cxecodon of 

21 instructions and or procesang of data) and the fim^onal limitatimi may be Oscar onnpattble and or ooay be 

22 Groover compatible and or may use any encryption method able to be reversed in said secret proces sing device, 

23 furthennore, said funcd<mal limitatum may be of one or muUi^de essential parts of software objea sudi that it is 

24 not practical to r^enerate the original software objea from any pans that are not functionally Inni fed. and for any 

25 particular fimctioDaUy Umited software objea the ftmctional limxtatitm may only be reversed in part cu* wticAe fay a 

26 spn^ said secret processing device with unique characteristics necessary U) reverse the funcuonal limitation, a 

27 rbe fanc t ^onq l tiTTittarirm may he reversed in part nr wlmle on a plurality of said secret processing device identified by 

28 f^rn^^yi fh3^r«yfTigrif!g twrftgieflry fn reverse ihft fimrrinnnl limitation; and or 

29 modifyiog pan or all of ssdd software object, using any mediod, such diat said software objea is securely linked in 

30 partor^ole,usingany inethod, to any one or inuhipae conditions of use^ diat in 

31 taniperwidiandsaidconriitionsof tise may include ary code that icfcnti 

32 or "^pwtififfg said s otiwai e c^ject in any way, such diat when said secret processing device is used to reverse part or 

33 all of said fimctional ittiMti^mi, said secret processing device may record use of said software objea and or die use 

34 of software objects of a particular producer and or any other record that in part or whole is used in deiennnnng 

3 5 remuneration to the producer and or any other parties and or said condidons of use innludes any code that contains 

36 infornmdoQ ^^uchxzmy be used by the SPD to detennine if said software cbje^ 

37 is pfrmittffj to execute and or process in part or vrhoic on a units of time used basis, and may i nc h irte what fee 

38 shfflild be i^iplied fac the use of said software objea and said fee may be aay unit of measureooent and is 

39 ^aeOnab ly a generic units of use basis and said generic units may be attributed any real currency value at atxy 

40 stage; and or 
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1 is pexixuttedu)^lli^ite and or process in pan V 

2 dmes one or multiple pans of said software objea are loaded and or nrmtwl and or any cnher measmable 

3 events basis, and may inchide fee sfaooM be applied 

4 any unit of nteasurememaodispfcferably ageoem of use basis and said generic units may be attrxbmed 

5 any xealcuxnocy value at any stage; and or 

6 is p r mrin fd to cKecatc and or process oo an cnlfmited basis subject to a fee, and may include what fee sfaould 

7 be i^lied fior die use of said software objea and said £se may be any unit of measurement and is piefexably a 

8 generic units of use basis and said generic imits may be attributed any real cmrcncy value at any stage; and or 

9 is permitted to execute and or process on any type of limited basis aibjea tt> a fee, and may include wim tot 

10 ^lould be a^qilied for ttie use of said software objea and said fee Toay be any unit of measurement and is 

11 preferably a generic units of use basis and said generic units may be attributed any real currency value at any 

12 stage; and or 

13 requires entry of one or mulnple data keys of any 9pe prior to 

14 for the first and or any nther timg em a parrimlsir caiH <t*rrr^ p r mrg^ing g%mnf^ ^y^i Tpfly inrtode "WhftfaCT OT not a 

\5 fee is to be charged; and cs^ 

16 requiresany other lestrictians of any type to be placed on use of said software (Ajea;^ 

17 any said software objea inodified in part or iidiole as descri^ 
18 

19 providing one or Tfmltiple proieaed software objea onto compuier-accessible memory mec^ aiul or any suitable 

20 zp^emas fcr electnnically transfening said protected sctftware objea to a potential user, and preferably the 

21 oondftinns of use attached to said one or nnihiple ptptected software objea permit said protected software objea to 

22 be used on a time tised basis in a PUCDPS wtdi a secret processing ckvice that has siiffident quantity of one or 

23 nrmlt i pl ft said unit of meas ii r P TTiffnt stored within and or securely accessible; 
24 

25 shipping said one or nmhipie said protected software objea on said compattr-accessiMe menxay media to a 

26 potential ttseratui or said eleoroiiically transferring said ofieOTinultxple protected sof^^ 
27 

28 

29 loading said one orimiltiple said protected software objea into said PUCDPS and exccatiTig as pennitted by said 

30 cooditiansctfuse; 
31 

32 wfaererequiiedby said conditions of use, a user feendlyincnusygcm and or any odiermctfa^ 

33 to: 

34 request the sapply of one or nmhtple said unit of measnronent that may be required by the said secret 

35 processing device for any purpose, and or 

36 receive one or mnttiple said imit of measur ement, prefierBbly in suitably encrypted format, that may use any 

37 method, and transfer said unit of me asu remem into the said secret p r o ce ss i ng device, and or accessible to the 

38 secret piuces&ing device, and or 

39 request the sappty of one or multiple dam keys ttiat may be required by the said secra processing device, and or 
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1 receive one or mul^l^data keys and transficr said data keys into ttie said secret processing device. aoA or 

2 accosibk to said seem processitig device .ustog any metliod, and or 

3 gCQoate one or nroltiple reports of software usage and or any other information that may be required, and 

4 sixppiysakiiepom to said senrice provider and or any ocfaer extern^ 

5 xeodve one or mnltiple codes confirming that said report has been received and wapply said one or multiple 

6 codes confinntng into said secret processing device and or accessible to said secvet processing device* and or 

7 ttqacst the service provider and or any other authorised party for one or multiple codes that may be used to 

8 reactivate part or aU of said secret processing device thminay have been disabled for any rea^ 

9 recehre one or nimltiple codes ID loictivaie part or aU <tf said secret process^ that may have been 

10 disabled for any reason and transfer said codes into said secret processmg device, and or accessible to said 

11 secret processing device, and or 

12 for any of the p r eceding ; the infommdoa generated by said PUCDPS and or received firom said service provider is 

13 preferably transferred etectronically, however, any other combinatitsi of methods may be used mrJifHmg mailing of 

14 computer-accessible memory media contaizung the infonnatiotL 
15 

16 2. A method of distributing software objects according to Claim 1, wherein said secret process in g device may; 
17 

18 securely deaypt and execute (in this claim execution and process and procesang are interchangeable and rtict to 

19 ex e cn t i oD d instrucdoos and or processing of data) and or process instnicdons and or securely decrypt and process 

20 data;andor 
21 

22 securely decrypt and execute and or process instructicns and or securely decrypt and process data that comedies with 

23 part or all <tf the requirements of reversing functioaal lindtatioas applied that are said Oscar compatible; atul or 
24 

25 reverse any functional ftnutations applied that are said Qroover compatible; and or 
26 

27 reverse pan or all any functional limitations applying to said protected software object; and or 
28 

29 may decide to reverse one or multiple said fimctional Itmitadons aqpi^ied to one or multiple said protected software 

30 (^jecis,basedontbesaidcoaditioosof use said securdy linked to smdpnj^^ 

31 is an autooomons decision, based in part at least, on secure p roce s s in g of inf atmauon internal and or extemal to said 

32 secret processing device, aiid that as long as said the r e quir enaents of one or rim^ 

33 and or said secret processing device are omiplied with, ihe user of a said PUCDPS is able lo execute and or process 

34 (me or multiple said protected software object on the same basis as if ^ley were said software object; and or 
35 

36 U'uusfei into said secret processing device and or have transferred any part of one or nsultiple information that may 

37 be u eoessar y to iHcnadeaiiy of the fimctions required by said protect 
38 

39 access any l u fo i ma ikiu that may be located extemal to said secret processmg device in order to provide any of the 

40 functions required by said protected software object; and or 
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1 

2 fTxammft said canditioDs of use said sccttieiy linked to sad protected software object; and or 
3 

4 detenxxsie a TespQDse to said CQzulitioDs of use» and or 
5 

6 respGndtosaidcondidoiisofiise;and<B' 

c 

7 

8 provide one or nroltiple area of secure memory ibat is not pnicdcal to analyse; asd or 
9 

10 provide for partiiioa of secure menuny into cm or nmUi;^ secure system partitions and one or multiple user 

11 partitions whereby programs in said system parritfons may access said user panitioDSt however, said user partition 

12 may not access said system partition imiess authorised, and or any partTCT^y said user partitkm may not ac ce ss any 

13 other said user partition unless anthonsed; and or 
14 

15 may transfer pan or all any one or multiple said protected software object and or any other software objects ton 

16 unsecore to said secure locations for process in g and or transfer any information from said sectne location to said 

17 tmsecure location; and or 
18 

19 may securely decrypt part or all of decrypted parts of said protected software object and (ff any other encrypted 

20 information within said secure locations; and or 
21 

22 may process part or all of one or multiple said protected software object in secrecy, mrinriing processing of part (r 

23 aUof that iixfomxation loaded in encrypted foinm and decrypted; atid or 
24 

25 faavethecapadty 10 deteaiiidietha pan or aU of said protected solbxwe^^ 
26 

27 handle the requiremcms of a large number of c fiCfe r eru protected software injects that ii has not been specifically 

28 preconfigured for while in unsecure locations; and or 
29 

30 may perform secret encryption and or secret d ea y p ti on in a manner that cannot be analysed, and this may be a 

31 software and or hatdwaie ftmntion; and or 
32 

33 have the capacity to implement in pan or whole, one or multiple h ardware devices in programmable logic and 

34 pre&rably programm^le logic diat may be rspdly erased m the event of tMnprnnE; and this iittdndes encryption 

35 and or decryption functions implemented in pan or whote in hardware, and hardware faacdcoB inqtonented in 

36 programmable logic may be dynamically prograimned by CEie or muitipie protected s oftwar e object; aivt or 
37 

38 may use any fiwihod to dmnmiiie that there is an n>*»n<^n to gain access to secret infomuttion within itself, and said 

39 attempt may be phyacal and or logical analysis, and the response may be any action, using any method, induding 
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1 di sa hling , lempuima yan^^ennapenUy^partoraUofii^^ 

2 inf annanon that may be stored withm secure memory storage devices; and cr 

3 

4 may secsuety store infannatkm in encrypted and or dear code fonnai in locations inaccessible to wnanthnrised 

5 parties and or securely stoce informatioa in encrypted format in locations that may be acoessitde to unauthorised 

6 parties, and may detea tamp er in g with stcoed infcsmation; and or ^ 
7 

8 may have the c^Kidty to securely monitor the usage of said protected software object; and or 
9 

10 tsiay be loaded with information that is any one or mnMple units of use, in any secure format, that may be securely 

1 1 smred within said secret processing device and or securely in accessible external locations and said imits of use may 

12 be used to offset against use of one or timltiplc said protected software objects as detcimmcd by their said conditions 

13 of use, said units of use may be adjusted in any way as they are used and may be used to credit various said 

14 producer and or said protected software objects and or any other method that can be used to record direcdy and or 

15 ^n^lT^^y p^^ymmty! thaf nrP Hn# tt% vftriniig pmrfiirffg nnri any Afhw mrm^gfiM parriffg; 
16 

17 taay securely lecorcl the usage of said protected software object and the leconi may in c lud e a secure breakdown <f 

18 the usage on a producer and or produa or any other basis* arid said record in part or 
19 

20 request and or compel the user of said PUCDPS to provide any necessary repms of usage to said service provider 

2 1 and or to any other location; and or 
22 

23 confirm that said reports that have been received as required; and or 
24 

25 not require modiiication of to PUCDPS (qmating system; and or 
26 

27 rim require special routines to iiitercq^ calls to said system operating system; and or 
28 

29 klentifyfhe type of said protected software objeaatxi act as required; 
30 

31 provide or have access to one or multipie taxxxperproof , non-volatile SOTroe of time and or date; and or 
32 

33 provide or have access to one or multiple tamperprooftiiiien; and or 
34 

35 provide one or multiple mediod of identifying a particular tamperproof environnKnt that may inchide the use of an 

36 deamnic signamre; and or 
37 

38 provide one or multiple secret codes and or p ro g ra m s that are unique to a particular secure enviromnem and or that 

39 arc common across particttlar groups; and or 
40 
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1 provide ooe or mu^JI^ progxaois* tbat may be pieiimgnrmmgd snd l^K^Bisfeued as nwg^pnM semi 

2 infoxxxiatkm unique to said seem piooessixig device 
3 

4 process moitiple said proiected software object in a multitasking c u v iiuiau ent and tbis may be tnmqnrem to said 

5 User Controlled Data Processing System; and or 
6 

7 icdnde functions, preferably implemexued in reprogrammable secure memory, tbat ms^ be edited and or mn^Hfit^ 

8 and nr dgteted smd nr ggpanrifiri mA or in my other my ghflng#>rt, in a seram msmrwr imd ^jmally t n!"Tw» ^^y the 

9 user of said FUCDPS» enabling externally supplied and appropriaiely oonfignred said prracted software objea co 

10 ad^ the secure processes availiflile to said PUCDPS and creaie one or multiple afyHgarirm mt an rm^iy 

11 to said PUCDPS and or that permits any c ui re m application to be dynamically adapted, and said adapt indndes 

12 dynamically reprogramming various hanlwaic functions impleniented in pan or whole with leprogxannnable logic 

13 connections and or dynamicaUy modifying decryption processes; and or 
14 

15 are programs and or data preprogrammfri into the device and or transferred in encrypted format and or in clear code 

16 tbat assist any other fmctioa that includes the processing of said protected so^^ 
17 

18 include secure meoEUHy that stores various internal system routines and may be loaded with externally supplied 

19 objects for decryptiGn and or execiidon and or any odierpiupose:az)d(B' 
20 

21 inay partition secure memory that forms part of said secure and secret pnx:essing 

22 and secure user mentiory, wherein programs within system memory may access those in user UKmory, however, user 

23 programs may not access system memcry on an unauthorised basis* furthermore, said user memory may be further 

24 paitirioned into multiple user partitions, ^K^usrein each tiser partition cannot affect infcHmaion within other user 

25 partttioos. 
26 

27 3. A method of distributing software objects acooiding to Claim 1, vtdicrein said not pracdcal may be interpreted as 

28 multiple levels of cfifScalty depending on the requirements and may be too difficult: 

29 foranomialuser 

30 with disassetnbly of said parts am are iiotfimcrtnnanylinaited, 

31 with flttgmpts fli chgracteri.qng engrypted informfltiftn in the h<yg nf hrpfllctng mxtryptinn TTwfhrwfr, 

32 with attempts at destroying the package to view the information within. 

33 

34 4. A mediod of distributing softwa i e objects acc or di ng to Claiml« ^K^ieretn said Oscar compatible is any fiincdonal 

35 limttarimi of pan or all of a software dbjea by any mettiod of encryption, usually at a secure location renoote to the 

36 user* wine pan or all of the reversal of the encrypted information, by decryption and or any other fn<>thnri, cxxurs 

37 within a secure e nviioum em directly and or indirecdy attadtcd to a user oontn^ed data piiw ^ s ing system sucb tbat 

38 pan or all of the insonctiops and or data of the software objea rBconstimted by said reversal are not accessible to 

39 analysis by any unauthorised par^ and execution of pan or all of said instracticais and cr the processing (using 

40 any method) of pan or all of said data tbat is not accessible to analysis by an niMtithnriwri party remains in pan cr 
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1 wix>te inaccessible fo analysis by any imamhansed par^. The resoit is that part ai least of die functional limitattcni 

2 placed on a software objea is xKXcooqirQnused by Che processed 
3 

4 5. A metbod of distributing so ftw are objects according to Qaini 1, n^ierein said Qroover ^wip^^f is g^y 

5 fwwrtiftnfll Kmimrion nf part or all wf a Kfrfmrarg nhjwn hy ripjgriftn «f pgft nr aII «f ttw% infinrmntinn wiftw^ ^ gaftrorg 

6 Object, usually at a secure location lenooie to tbe user, wliere part or all of the reversal of tibt <*ri<tiffn, by any other 

7 metfaod, occurs witlun a secure emdroimiemifirc^ 

8 lise instnictians and or data of the software objearecoasimted by said reversal 

9 Trymt*^*^ party and the execution of part or aD of said instructions and or tbe processing (using any method) of 

10 part or all of said data that is not accessible to analysis by an mwnihorisrd party remains in part or ^tixsle 

1 1 inaootssiMe to analysis by any unanthoriffiri party. The result is tliat part at least of tbe functional limitatian placed 

12 on a software objea is not ocoqpnmu^ by tbe process of nsiiigsa^ 
13 

14 6. A method of distributing sofbware objects according to Claim X v^ierein said determine a reqxmse to said 

15 conditions may be based on a pturatity of informatton states within and or external to sai 

16 inrhTiling the availability of ooe or multiple said imits of measurement to ofGset against any requirements in said 

17 oomfiticHis of use, i^^vopriate etitry d any data key, compliance witii rcpoiting lequirements, validation of said 

18 conditicns of use supplied with said protected sof t w are objects against ^jprt^Biate values stored within said secret 

19 p ro ce ss in g device. 
20 

21 7. An qiparatus f<x dtstributtz^ software objects, r efe renced a secret p r ocess ing device, that may in part or whole be 

22 integrated into the same integrated circuit ( and or directly and or incfirecdy linked) as the system microprocessor cf 

23 said user controlled data processing system, and prcficrably does not interfere with tbe normal functions cf said 

24 system mjuimuocfssor, the secret processing device itiay also fostn an integral part of a multiprooesssor system 

25 microprocessor, part or aU of said secret processing device may be tntegtated truo any one or multiple devices 

26 external to said system microprocessor and anachrd dtrectly and or indirecdy to said user cootrctfled data processing 

27 system; 
28 

29 ssud secret processing device includes one or muhx^^e secure nucroprooessors and one or multiple bkx±s of secure 

30 memory storage devices, that may be any Q^pe astd mix, and may incltidft secure direct memory access controller and 

31 other fixnctitBis as described, wherein sud secret processing device may: 
32 

33 securely deuypt find execute and or pi ucesis instnictioiissDdar securely decrypt and ivcioess data; and or 
34 

35 secmely deciyptaiidexecueaiid or process iiisimcticiisaiid or securely decrypt and process data di^ 

36 panorallof die requiremHUsof leveifcitigfuDctiotial linriialions applied that are said Oscar compatible; and or 
37 

38 reverse any funftional limitations ^iplied that are said Groover compatible; and or 
39 

40 reverse part <gaU any fimctional IfmitaTionstqpplying tosaid protected software object; and or 
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1 

2 may decid e to reverse ooe or multiple said fdncdooal limitaiiaas ap|ilied to ooe or multiple said protected software 

3 objects, based oa the said OBxditioas of use said securely licked to said protected software objects, where said rfrr V ff 

4 is aa autonomous decision, based in pan at least, on secure processing of in£^^ 

5 secret processing device, and that as long as said the requiremems of one or multiple said protected s oftwar e objects 

6 and or said secret processing device are cnmpiled with, the user of a said user controlled data p n - ^ ^ ^s '^ c system is 

7 able to execute and or process one or multiple said protected s oftw a re objea on the same hasis as if they were said 

8 software object; and or 
9 

10 have the c a pa city to implement in part or whole, ooe or multipie har dware devices in programmable logic and 

11 preferably pr o gtaami able logic Hm may be rapidly erased m ttK event of tampering, and tilds ^r^^!^ *Ht encrypdon 

12 and or decryption fu nc t ion s i mpl e m e n ted in part or whole in h a r dwa re, and hardware functions tn^emented in 

13 programmable logic may be dynamically programmed by one or multiple protected software object; or 
14 

15 transfer into itself and or has transferred any part of one or multipie infonnatton that msy be necessary to provide 

16 any of the fi m n rinn s required by said protected s oftware object; and or 
17 

18 access any information that may be located external to said secret processing device in order to provide any of ifae 

19 fimctions required by said protected software object; and or 
20 

21 examinethesaidcoiiditionsof use said securdy linked to said protected software ob^^ 
22 

23 determine a response to said cosklitions of use; and or 
24 

25 respond to said conditions of use; and or 
26 

27 provide one or mnltipte area of secure memory that is not practical to analyse; ami or 
28 

29 provide for partition of secure memory into one or multqile secuie system prnr^rtfny and one or nmMpie user 

30 pmr i tions vdiereby programs in said system partitions may access said user partirions, however, said user partition 

31 may not access said system partition tmless authorised, azKl or any particular said user partition may not access any 

32 other said user partition unless authorised; and or 
33 

34 may transfer part or aU any one or multiple said protected software objea and or any csha software objects from 

35 unsccure to said secure locations for processing and or transfer any information from said secure >^v^rtn id said 

36 unsecure location; and or 

37 

38 may securely decrypt part or all of decrypted parts of said protected software object and or any other encrypted 

39 informatum within said secui e locations; and or 
40 
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1 may process part or all of ooe or trnii^ip iff said protected software object in secrecy, fnchiding processing of pan or 

2 ail d thai information loaded in encrypted f cmnat and decrypted; and or 
3 

4 bavethecapadty to detea whether part or aU of said protected so^ 
5 

6 may perform secret eoctypdan and or secret decryption in a manner that cannot be analysed, and this may be a 

7 software and or hardware function; and or 
8 

9 have the capaaty to tmpiwimTtf in part or v^le, one or multiple hardware devices in programmable logic atid 

10 preferably p rogr amma ble logic that may be rapidly erased in the event of tampenng, and this indndes encryption 

11 and or decryption functions implemented in part or whole in hardware, and hardware functions implemented in 

12 programmable logic may be dynamically progranmied by <Bie or multipie protected software object; and or 
13 

14 ms^ use aixy method to detennioe that there is an attempt to gain access to secret infovmation within itself, and said 

15 attempt may be physical and or logical analysis, and the response may be any action, using any method, including 

16 dis^ling. temporarily and or permanentiy, pan or all <tf itself and or invalidating in ar^ way pan or all of tise secret 

17 infismatim that may be stored within secure memmy storage (tevices; and or 
18 

19 may securely store information in enaypted and or dear code fonxuu in locations inaccessible to imanthnrised 

20 parties and or securely store information in encrypted fcnnat in locations that may be accessible to imatithorised 

21 parties, and may detect tampering with stored information; and or 
22 

23 niay have the c^xadty to securely momtor the usage of said protected software object; and or 
24 

25 "my be Imtf1<^ with information that is any one or multifile units of use, in any secure fonnat, tiiat may be securely 

26 stored within said secret processing device and or securely in accessible external locati on s and said units of use may 

27 be used to ofiiset against use of one or multiple ssad protected software objects as detennined by thdr said co nd i tions 

28 of use, said units use may be adjusted in any way as they are used and may be used to crecUi various said 

29 producer and or said protected software objects and or any other method that can be used to record directly and or 

30 iwritTwrtiy thgpaymgnts that m due to varioftis producers and any other interested panics: 
31 

32 may securely record the usage d said pruected software objea and the record may include a secure Iseakdown of 

33 thft itjyn y» nn a prr^incer and or product or any other basis, and said record in part ot whole is non-volatile; and or 
34 

35 request and or con^Ml the user of said user controlled data processing system to provide any n ecessa r y reports of 

36 usage to said service provider and or to any other location; and or 
37 

38 confimi thai said reports that have been received as required; and or 
39 

40 not require modification of the PUCDPS operating system; and (ff 
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1 

2 xiotreqiiiieq3eci2lroatxxiestomim 
3 

4 idexitify the type of said protected software bjea and act as required; and or 
5 

6 provide or have access to ont or multiple camp q p rocrf^ non*volanle source of tune and or date; and or 
7 

8 provide or have access to one or nmlttpletamperpr^ 
9 

10 provide one or moltiple method of identifyiag a pffrt^r^^w tamperproof ettviromnent dial may w^ lndTr the use of an 

1 1 electrraic signature; and cr 
12 

13 provide one or multiple secret codes and or programs that are unique to a particular secure g mim ii ntf wf and or dtat 

14 are common across particular groups; and or 
15 

16 provide one or multiple programs, that may be preprogrammed and or transferred as required rtmy use secret 

17 informaticauiiique to said secra processing device; and or 
18 

19 process multiple said protected software object in a nniMtasidng cnvircHiment and this may be cranspareiu to said 

20 User Qmtrolled Data Processing System; and or 
21 

22 in c hid e funct ion s, preferably inq>leinented in reprogrammable secure memory, that may be edited and or modified 

23 and cr deleted and or expanded and or in any other way changed, in a secure manner and usually transp are ntly to the 

24 user of said PUCDPS, enabling externally supf^ied and iqppro(siately configured said protected sc^tware objea n> 

25 adi^ the secure processes available to said PUCDPS and create one or inulttpie a 

26 to said PUC3>PS and or that pennits any cui re a t applicatim to be dynamically ariapred, and said ad2q>t includes 

27 dynamically reprogramming various hardware functions impkmeiued in part cr whole with reprogratztmable logic 

28 cormectinns and or dynamically mocfif ying decryption processes; and or 
29 

30 are programs and <k data prqsrogrammed into the device and or transferred in encrypted fonzsat and or in dear code 

31 that assist any other function that includes the laoc e ssiu g of said protected software object; and or 
32 

33 inchide seem memory that stcnes various intemal system routines and may be loaded with externally supplied 

34 objects for decryption and or execution and cr any other purpose. 
35 

36 8. A method of disoibuting software objects according to Claim 7« wherein said determine a response to said 

37 conditions may be based on a plurality of information states within and or external to said secret processing device, 

38 induriing the availability of one or multiple said units of measnzenKnt to cSsex against any lequxremczus in said 

39 contfitions of use, appropriate entry of any data key, mmpiiimr^. with reporting requirements, validation of said 
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1 conditicms of use supplied wnh said proiBCted software objects against ai^ntipnate values stored wiiihin said secret 

2 processing device. 
3 

4 

5 9. An apparatus for distributing software objects according to Claim 7, wherein said Oscar compatible is any 

6 funcdonal limitadoa of pan or all of a software objea by any method of encryption, usually at a secure location 

7 remote to the user, where part or all of the reversal of the encxypusd hifonnation, by decryptioa and or any other 

8 occurs within a secure eovironraent dnectly and or ittdtrectly lOtacfaed to a user ccotroiled data processmg 

9 system such that pan or afl of the instrucdoM and or data of the software 

10 accessible to analysis by any nnanthorised party and die execution of part or all of said instructicns and or the 

11 p rocessi n g (using any medKXI) ctf pan or ail of said data dxat is not accessible to analysis by an tmauthoorised pany 

12 remains in pan or wtioJe inaccessible to analysis by atty imaudiorised pany. The result is that pan at least of the 

1 3 functional limitati on placed on a software object is no t compromised by the process of using said software object 
14 

15 

16 10. An ^yparams far distrilmting software objects accordmg to dam 7, uttoein said Groover compatible is any 

17 ftmcdonal limitation of pan <vaU of a software objea by detetiw of 

18 object, usually at a secure location remote to the user, mlierepanar all of Use xeversal of the deletion, by any other 

19 T H'^hQri^ occurs within a secure e nvir onment directiy and or imfirectiy attached to user controlled data processing 

20 system such diat part or all of the instructions and or data of the s oftw are object reconstimted by said revcroal are 

21 not accessible to analysis by any unauthorised pany and the execution of pan or all of said instructions and or the 

22 processmg (using aixy metiiod) of pan or all of said data that is vol accessible to analyas by an unauthorised party 

23 remains in pan or vtole inaccessible to analyas by any unauthorised pany. The lesitit is that pan at least of the 

24 fwnr rinnai iimttarim pl^^ on a sofiwHre object is not compromised by the process of using said software object. 
25 

26 llJin appar2Dxs fat discrtbuting software objects according to Oaim 7, vt^ierem said protected software dbject is a 

27 software objea that has been reversildyfmctionaUylunited to be reversed m pan or whde by fi^^ 

28 said seoet processing device. 
29 

30 12 An apparams far distributing software objects according to Claim 7, wfaerdn said conditioais of use may be a 

31 phirality of oonditi<ms securdy linked to said protected software objea that are exnacted in pan or ^^le by said 

32 secret processing device and used to determine wfaoher to reverse the said functional limitations iqjplied to one cr 

33 itniUxpie said iffotected software GbjecL 
34 

35 13 A method of securely protecting and disoibutmg software objects substantially as berinbefoxe desoibed with 

36 reference to the drawings. 
37 

38 14. An appaawis ftsr distributmg software objects substantially as hetinbefore described with tef ei e aioft to die 

39 drawings. 
40 
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1 15. Ths si^K, tesjlt^^ cyitnpcmiiiCHs and compounds disdosed herein lUlerred id or intficaied in tfae specificatian 

2 and/or daims of this apgHiadaa, individually or coUectiveiy. and any and all combinations of any two or mne of 

3 said steps or features. 
4 

5 
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